Security researcher Ken Munro recently disclosed vulnerabilities with BMW's most recent models of "smart" cars that could enable thieves to bypass the car's security and unlock doors and windows. The disclosure actually paled in comparison to last year's televised controller area network (CAN) hack by Charlie Miller and Chris Valasek, in which the researchers took control of a Ford Escape's steering speedometer and engine.
It seems a new vulnerability is disclosed every other day in this brave new IP-centric world, with reports of refrigerators acting as spambots, insulin pumps susceptible to wireless hacks, and easily compromised smart meters. At the same time, there's the BYOD Bogeyman banging on enterprise IT's door, with users muddying networks with their personal devices.
The Internet of Things (IoT), BYOD, and the DevOps revolution: They're all descendants of the pervasive or ubiquitous computing movement -- compute as a platform, a tool, as raw material, ultimately fading into the background because it's everywhere. Compute becomes a creative tool to help people solve problems.
But security hasn't quite caught up to this evolution of seamless tech and appears to be the only barrier to what the father of ubiquitous computing, Mark Weiser, predicted as an age of "calm technology, when technology recedes into the background of our lives." Security researchers forget that the goal of ubiquitous or pervasive computing is invisibility, not heavy-handed controls.
Most companies aren't in the business of security. They are specialists in their own particular industry. So why are we surprised when it isn't their first priority? As compute becomes more transparent, information security continues to go in the opposite direction. It's still cumbersome, often focused on compliance checklists, vulnerability assessments pointing out shortcomings as opposed to delivering solutions developers can actually use, often with the same efficiency as the DMV. "No" remains the security mantra.
Instead of security professionals complaining and demonstrating how consistently insecure products are and coming up with reasons why users can't have the flexibility they need, maybe infosec needs to come up with new methods of achieving ubiquitous security. By creating approaches that aren't a choke point in the development cycle, security aligns with the business.
The DevOps movement transformed IT organizations by demanding that all teams start to think like developers, emphasizing continuous change for speedy application delivery and support. Isn't the IoT just one more application?
Some argue that DevOps runs counter to good security, that the two aren't compatible and SecDevOps isn't possible because developers don't care about security. But humans are quite adaptable and as biologist Peter Watts said, "Natural selection favors the paranoid." As the population increased and crime rates rose in urban areas, people learned to make physical security a habit. If we don't have to call the locksmith every time we want to lock our doors, why shouldn't we be able to integrate good security practices into the rest of the business?
Recently, technology journalist Quinn Norton wrote an apocalyptic article in which she lamented "how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire." The recent OpenSSL Heartbleed vulnerability seems to confirm the frailty of our interdependent systems -- how easily one bug can cause a ripple of destruction like a tsunami wave.
Focusing on a technology rather than the problems it solves -- as security pros are apt to do -- is like falling in love with a hammer. The hammer only matters when it's used to do something: build a house or fix a roof. The hammer by itself is meaningless. So what we do in IT and even security is completely pointless if we don't remember the end goal: furthering the business in its act of creating opportunity. Any idiot can blow up a cathedral, but it takes a genius to design one and an army of craftsmen to actually build one.
Nothing prevents us from changing the course of our pervasive computing future. Take the arch, a miracle of physics and engineering perfected over hundreds of years. When architects struggled with making them taller, they invented the first pointed arches, which produce less thrust at the base, allowing for those insanely large Gothic cathedrals.
The potential for real solutions exist, but only if security professionals join the conversation. Security isn't weak because our users and developers are stupid -- it's because our solutions are.