FBI CISO warns of IoT data breaches
In a keynote address, FBI CISO Arlette Hart tackled the Internet of Things and explained why enterprises need to step up their IoT security efforts.
The FBI's chief information security officer warned the impact of IoT data breaches could be much worse for end users than previous enterprise data breaches.
During her keynote address at the 2015 IoT Security Conference in Boston on Tuesday, FBI CISO Arlette Hart discussed how the growth rate of the Internet of Things (IoT) is outpacing IoT security efforts and implored enterprises to take action before disaster strikes. With technology, "Cool trumps safe," she said. "The capabilities, themselves, are almost always developed without security in mind. We need to change that [for IoT]."
IoT introduces an overwhelming amount of new devices, data, network traffic and protocols that have already had a profound impact on IT and cybersecurity strategies. IoT data, she said, will change how breaches affect end users. With recent retail data breaches, Hart said the impact has been "relatively light" on end users.
But in the case of an IoT data breach, Hart said the impact will have serious effects on end users, because their sensitive data is interconnected with personal devices, such as their door locks, cars, baby monitors, thermostats, lights, security cameras and other household appliances. That information, in the hands of a cybercriminal, can be devastating and result in a serious breach of privacy.
"Last year, I got a new credit card. I got credit monitoring, too. What else did I feel from all of these breaches?" Hart said. "But when we move into IoT, I think the world is going to change a little bit. I think it's going to change to the point where, when compromises happen, people are going to feel it."
As IoT data is created, transmitted and stored, it represents a new opportunity for threat actors to steal sensitive information, Hart said. It also poses significant threats to the enterprise and the end user, because cybercriminals can cause physical havoc by tampering with devices.
Hart noted that it's not just outsiders that enterprises need to be wary of. "Malicious insiders are an internal threat to your infrastructure. The inadvertent insider is one of the biggest causes of compromise. You trust our employees, really? You have 40,000 employees and not one of them is bad?"
New technologies mean new security challenges, Hart said. Many IoT devices have serious vulnerabilities and no dedicated security protection. And if they haven't been hacked, they will be. However, the IoT security landscape is rocky because IoT is a new and developing technology, and there is a general lack of standards in the space, she said.
On the bright side, however, Hart said technology companies understand that IoT security needs to be addressed, and many companies and organizations are already working on developing industry standards and regulations.
"This is only going to happen through self-regulation because, frankly, you are all moving way too fast for the government to be able to catch up with you," she said. "Self-regulation is critical to this [IoT security] effort."
On the other hand, Hart said, threat actors know that the growing number of connected devices hold valuable data and will likely step up their attacks on IoT targets.
"The threat vectors are increasing and they're pervasive, and they're going to keep on coming, and they're going to accelerate because this is such a rich field," Hart said. "IoT compounds the security challenges that we already have."