Consumer Electronics Daily was a Warren News publication.
IoT Concerns

Emerging Technologies Present Cybersecurity Opportunities, Vulnerabilities, Experts Testify

IoT and other emerging technologies are a double-edged sword for U.S. cybersecurity, industry experts told the Senate Commerce Committee Wednesday. Such technologies, if not properly secured, can be a significant cyber vulnerability for U.S. companies, particularly given the growing cyber capabilities of China and Russia, the experts said. Blockchain and other emerging technologies also could be a major boon in enhancing the U.S.' overall cybersecurity, they said. The Senate Commerce hearing, one of two Wednesday (see 1703210064), was part of committee Chairman John Thune's, R-S.D., ongoing series exploring aspects of emerging technologies, said a Senate Commerce aide.

Senate Commerce will continue to take a role in shaping cybersecurity policy in the 115th Congress, including by “promoting public-private partnerships on risk management, foundational research, and a robust cyber workforce,” said Chairman John Thune, R-S.D. He said he will work with Senate Communications Subcommittee ranking member Brian Schatz, D-Hawaii, and Sens. Maria Cantwell, D-Wash., and Jim Risch, R-Idaho, on “potential legislation to ensure that small businesses fully benefit from the [National Institute of Standards and Technology's] Cybersecurity Framework.” Thune vowed to send letters to Secretary of Transportation Elaine Chao and Secretary of Commerce Wilbur Ross urging them to “prioritize the cybersecurity of federal systems.”

Senate Commerce members Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., filed two related cybersecurity bills Wednesday -- the Security and Privacy in Your Car (Spy Car) Act and the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber Air) Act. The Spy Car Act, first filed in 2015 (see 1507210025), would direct the National Highway Traffic Safety Administration and the FTC to develop car cybersecurity and privacy standards. The bill would also create a “cyber dashboard” ratings system to inform consumers about connected cars' cybersecurity. The Cyber Air Act would require airlines to take “reasonable measures” to prevent cyberattacks and secure in-flight Wi-Fi. Airlines and airplane manufacturers also would be required to disclose cyberattacks that target airplane systems.

Emerging technologies “have the potential to create new security risks,” Thune said during the Senate Commerce hearing. “For example, nefarious hackers can use [artificial intelligence] to identify cyber vulnerabilities and victims faster. Future quantum computers could break our current encryption standards with ease.” The “rapid commercialization” of IoT gives hackers "a multitude of new targets to attack,” said Senate Commerce ranking member Bill Nelson, D-Fla. AI and quantum computing "could greatly enhance our cyber defense capabilities, but in the wrong hands, could make detecting threats more difficult, risking our economic and physical well-being. Blockchain technology, which has proven successful in securing financial transactions, could be used to secure all kinds of sensitive data and information.”

The U.S. “must continue to make the development and adoption of emerging technologies an economic center of gravity,” said Eric Rosenbach, former assistant secretary of defense-homeland security and global security. “As the number of internet-connected [AI-driven] devices increases, policymakers and legislators need to address the associated increase in the nation’s vulnerability to strategic cyberattacks.” Rosenbach highlighted the threat China and Russia are for emerging technologies' cybersecurity.

The Chinese government “has invested heavily in the research and development of technology that underpins” supercomputing, AI and blockchain technologies, Rosenbach said: China has been “integrating new technology into security-focused cyber capabilities,” including adding AI and supercomputing technology into the “Great Firewall of China” that isolates that nation's internet users. Russia is 10 years behind China and the U.S. in development of emerging technologies, but Russian President Vladimir Putin “has taken a deep personal interest in quickly closing this gap,” Rosenbach said. Russia's development of capabilities to attack the U.S. via IoT and AI technologies, when combined “with the Russians’ proven deep experience with spreading strategic disinformation,” should “be a serious concern,” the expert said.

IBM Security Vice President-Threat Intelligence Caleb Barlow and other executives highlighted the threat of unsecured IoT. IoT-enabled devices “can be deployed for an extended lifetime and often lack simple methods to update and patch their software, which leads to poor security,” Barlow said. “Worse yet, to ease the deployment of these IoT devices, many often ship with minimal security controls, default user IDs and passwords that are never updated by the end user, making them easy targets for an attacker.”

National Venture Capital Association Chairman Venky Ganesan noted the role that Mirai botnet-infected IoT devices played in the October distributed denial-of-service attacks against Dyn (see 1610210056 and 1610250021). He's concerned that connected cars could be hacked and used as “a weapon for terrorism purposes” since consumers are not well informed about connected cars' “inherent security risks” to demand “strong” cyber protections. “Vendors often have not made the necessary investments in product security, and have not implemented even basic capabilities such as password management or the ability to perform over-the-air security upgrades,” Ganesan said.

Blockchain-based technologies are a cybersecurity opportunity “since they are currently perceived as much safer than traditional databases and less impervious to manipulation and fraud,” Ganesan said. Although blockchain technologies require significant resources to scale, “governments who have access to unlimited computational and power resources should” consider those technologies “as a promising way to store their critical data,” Ganesan said. “High-profile hacks of databases like with [the Office of Personnel Management] demonstrate the vulnerability of information held by the government. Blockchain could play an important role in data authentication and transparency in the healthcare and financial sectors.”

Intel Security Chief Technology Officer Steve Grobman warned Senate Commerce to be “wary of hard regulations” on the cybersecurity of emerging technologies since regulations might allow future threats to “slip through the cracks.” Government mandates likewise would result in “mere compliance rather than true security,” he said. The federal government instead should focus on continuing successful public-private partnerships like the one that resulted in the NIST Cybersecurity Framework, Grobman said. The final result was a “flexible framework” rather than “rigid regulations,” he said.