As the volume of information about absolutely everything we do becomes increasingly large, and as the number of recent data security breaches continues to climb, large consumers of telecommunications services have tried to be increasingly vigilant about staying current on the latest and greatest techniques for managing potential privacy and security breaches. Most Americans are familiar with horror stories of the recent major data breaches that have hit the headlines in a big way and think quietly to themselves something along the lines of “there but for the grace of God…" (you know the rest). Target and Anthem come to mind immediately, but there are legions of others. Consider the fact that these major corporations make an effort to use current relatively state-of-the-art detection and monitoring systems, and even they’ve been infiltrated with current malware. Should you be concerned? Absolutely. But wait. There’s more.
Now consider the routers you use at home or in a less high-profile parts of your operation. How old are they? In many cases, the honest answer is least several years old. Based on the age and sophistication of all of existing network components, the information stored on--or traveling over--the network is not just vulnerable to the type of threats that have affected the Targets and Anthems of the world, but also to very real threats that are years old and correspondingly much less sophisticated than those currently making the rounds. Think of the adage “a chain is only as strong as its weakest link.” Be concerned. Very concerned.
Aware of these obvious vulnerabilities made all the more acute by the explosion of the Internet of Things, the Federal Trade Commission has taken action. (Its report, which was released in January, can be found here.
FTC Chair, Edith Ramirez is motivated by the fact that the privacy and security concerns created by the rise of the Internet of Things have the potential to undermine consumer (you can easily insert the words “student,” “faculty,” or “staff”) confidence in a significant way. “The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” she said recently. Commissioner Ramirez believes that technology innovation is only a good thing if consumers are confident that they won’t be the next victims of a high profile breach. If this heretofore private information is readily accessible to the immediate world, and what was thought to be private is now public, consumers have good reason to be alarmed in general and distrustful of the companies who manufacture, distribute and sell such goods and services.
In its report, the FTC made several important suggestions to mitigate consumers’ concerns. First, the FTC encourages manufacturers to ensure that security is built into devices as they’re made, rather than after they’re already on the market. Secondly, the agency suggests that all employees be instructed on the importance of information security, and that security issues have a sufficiently high profile within the manufacturing/selling organization to keep them front and center at all times. Although there are other suggestions, the last uber-critical one is that devices be monitored throughout their anticipated life cycle (think home routers) such that security updates and patches are provided at all times to cover known and newly discovered risks regardless of the age of the device.
In addition, the FTC also suggests that companies in this space consider “data minimization,” the practice of limiting the collection and retention of consumer data for a set period of time only, and never indefinitely. According to the FTC, data minimization has two goals with respect to privacy: first, accepting the risk that a company with a large store of consumer data is “a more enticing target” for data thieves or hackers based upon the volume of data that it has, and secondly an acknowledgment that “available consumer data will be used in ways contrary to consumers’ expectations.” Finally, the FTC suggests strongly companies selling IoT items to consumers educate those consumers about their reasonable expectations of what information is being collected and stored, and for what period of time.
Jahangir Mohammed, Chairman of the Silicon Valley-based tech company Jasper, said in a recent interview that “The real power of the Internet of Things is that it transforms a static product into a dynamic service. Once a thing is connected, it really becomes unlimited in terms of what it can process, because it can borrow from all the computers in the Internet to do the processing and it has real-time access to all the information in the Internet. It’s no longer an isolated thing. It’s become part of a fabric of everything connected. It’s a part of a much larger fabric. It’s a service. This is the real power of the Internet of Things.”
So how does this apply to a campus environment? Mark Reynolds, ACUTA’s current president and the Associate Director of IT at the University of New Mexico, commented recently that “we sit fat and happy and negotiate a contract and buy a product, and then everyone forgets what the contract terms are, and what the license agreement says about important things like renewal, upgrades, and ongoing maintenance. Then we have a problem, and suddenly, because everyone was busy keeping the lights on that we’re not looking down the road three years. Only when something goes wrong do we discover that the device/service is at end of life or needs support that has long since expired. And then we’re doubly vulnerable: both to vendors who come to us and say ‘oh yes, here’s your renewal, sign now or else’ and to outsiders trying to weasel into our networks/devices that we thought were secure.”
Mr. Reynolds suggests the creation and ongoing maintenance of an information repository, containing information about renewals, updates and any other information regarding the licensed product or service. “The repository should contain triggers that could be set to time not only with contract terms, but in alignment with budget cycles so that we are forced to look and plan ahead for these renewals. Once there’s a problem, it’s too late. We need to know in advance so that we can manage both the practical aspects of an unanticipated problem and the budget process so that we can manage providers in the best way that we can.”
The additional information that’s generated by the IoT is no doubt powerful. But with great power comes great responsibility—on the parts of the manufacturer, distributor, retail outlet and, ultimately consumer. Privacy and security experts encourage consumers, in the strongest possible terms, to consider the risks and consequences before sharing seemingly harmless information with the immediate world. I couldn’t agree more.