After Chinese hacks, how do we secure the Internet of Things?

Reading about the Chinese hackers hitting the U.S. Chamber of Commerce in Washington, D.C. I was struck by the last two paragraphs, which detailed how the hackers accessed the IP address of a thermostat — as well as the overall tone of resignation around preventing such attacks — and I wondered: How will we secure the web of things? Do we need to give up on the idea of perimeter based security on the web? From the Wall Street Journal article: (s wsj)

The Chamber continues to see suspicious activity, they say. A thermostat at a town house the Chamber owns on Capitol Hill at one point was communicating with an Internet address in China, they say, and, in March, a printer used by Chamber executives spontaneously started printing pages with Chinese characters.

“It’s nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in,” said Mr. Chavern, the chief operating officer. “It’s the new normal. I expect this to continue for the foreseeable future. I expect to be surprised again.”

In a way, this might be a healthier attitude than thinking you can build strong enough walls to keep hackers out; after all, those walls aren’t just composed of IT defenses but also rely on educating people on how to behave in the face of social-engineering tricks. As someone who locks her doors at night, and feels like keeping people out as opposed to just hoping that when people get in an alarm goes off, the mindset seems anxiety-producing. But the web, the cloud and the emerging network of connected devices isn’t as easy to defend as a home. There are no defined perimeters or limited access points, which means our IT security, legislation aimed at the web and burgeoning M2M networks need a different approach.

On the IT side, CloudPassage has built a service that’s an interesting approach to securing cloud resources while recognizing the impermanence and porous nature of the medium. It installs software on virtual machines that sends all security and compliance checks out to a separate cloud that then makes sure the traffic follows the rules. IT recognizes that securing thousands of virtual machines that pop up and go offline randomly has to take a different approach.

In government, where the Stop Online Piracy Act takes the Maginot Line approach to protecting IP on the web, alternatives such as the Online Protection & Enforcement of Digital Trade Act (which still has some well-documented issues) leans toward an approach that recognizes willful bad guys and leaves accidental infringers of copyright alone. Again, instead of building a wall that could keep everyone out –even legitimate businesses, activists and journalists — the OPEN approach tries to track bad actors but also offer a recourse to those accused of being a bad actor.

As for hacking thermostats, I’m not sure what type of security needs to protect our connected devices and networks, but it’s a question we should be addressing. After all, we have now seen hacked pacemakers, insulin pumps and thermostats. That’s unlikely to be the end of the list.

Image courtesy of The U.S. Army.