The Promise (and Pitfalls) of Drones

UPDATE January 28, 2015:

Interesting development after my original post below. TechCrunch is reporting that the maker of the drone that crashed into the White House lawn has developed and is providing a firmware update for its drone that will inhibit the craft from flying in certain places.

“The firmware update (via TheNextWeb) essentially just puts geographic restrictions in place that act as “no-fly zones,” adding a virtual barrier extending 25 kilometers from downtown D.C. in all directions and effectively blocking either take-off or even flying entry by a drone. National borders are included, too, to try to prevent DJI drones from being used for the kind of drug smuggling operation described above.

There are also 10,000 new airports added to the Phantom firmware’s no-fly list, which should prevent the consumer gadgets from getting in the way of air traffic and generally causing problems.”

Screen Shot 2015-01-28 at 9.49.34 PM

 

ORIGINAL POST January 27, 2015:

Drones. It seems they’re everywhere these days.

To say that drone use has proliferated over the last year or so would be an understatement, but it’s important to know how drones are being used, what value they bring, and what dangers they present as the technology advances at an ever increasing and rapid pace.

drone meth mexico
A drone carrying close to 6 pounds of meth crashed in a parking lot near the California – Mexico border.

 

Consider the potential of drones and the value add, first. In a recent article entitled, “Why Drones Are the Future of the Internet of Things,” Colin Snow, CEO and Founder of Drone Analyst, talked of the commercial use and applications for drones. “[I]n countries like England, Australia, and France, you will find them operating in energy, mining, mapping, and surveying companies – and quite a few government agencies like those responsible for transportation and infrastructure.”

“Drones are already beginning to efficiently replace [] connected sensors at rest with one device that is:

  1. deployable to different locations
  2. capable of carrying flexible payloads
  3. re-programmable in mission
  4. able to measure just about anything, anywhere”

drone IoT

Add to this the well-publicized (currently exploratory) use by Amazon of drone delivery and we can see clearly a horizon where drones populate the sky with increasing regularity in support of businesses and enterprises in a variety of verticals.

There are, of course, serious concerns about such ubiquitous drone use. Two events we learned about just this week serve to amplify those concerns:

  • A drug carrying drone crashed in a Mexican parking lot near the California border on January 20; and
  • Yesterday, January 26, a small drone  (too small to be detected by radar) crashed into a tree on the South Lawn of the White House.
drones NYT
A drone, which was about two feet in diameter and weighed about two pounds, crashed into the White House lawn.

 

In the latter of the two instances, the drone ‘pilot’ was apparently drunk and not intent on malfeasance; the former event, of course, represents a much more dangerous development in the form of a new delivery vehicle for illegal drug runners intent on selling their wares in the United States.

In short, it would certainly seem that drones do have their uses, some for entertainment, some for business and some, of course, for our military. At the same time, however, drones have clearly now become a security issue, and whether it be through regulation or technology advances or perhaps a combination of both, efforts will have to be made to protect both privacy and person in a future of sky-filled drones.

Well Publicized Hacks Driving Cybersecurity ‘Tipping Point’

It’s here. Finally. Maybe.

We may have finally arrived at that time in U.S history when “cybersecurity” has moved from an obscure tech term to a mainstream concern of everyday Americans. This important ‘tipping point’ comes courtesy of more than two years of well publicized cybersecurity intrusions, including but not limited to the Home Depot and Target attacks, as well as the Sony hack this past November.

Just yesterday, twelve short days into 2015, the media reported on not one, not two, but three cybersecurity ‘hacks’ on everything from the United States military, to airlines to the nice folks that make our children’s’ crayons:

  • Cenctom (the United States Central Command)  a command of the Department of Defense that has been the main American presence in Iraq and Afghanistan (source: Wikipedia) saw it’s Twitter and YouTube accounts hacked apparently by Islamic State sympathizers. Source: Washington Post
Centcom Twitter
CENTCOM resumes Twitter activity after hack

 

 

Crayola Facebook
Crayola apologized for hack of Facebook site

 

In response to these attacks and the media coverage surrounding them, politicians, congressional leaders and federal regulators are all now calling for legislative action. President Obama is pushing theThe Personal Data Notification & Protection Act to establish national, uniform requirements surrounding when and how companies should report cyberintrusions.  The law would, “give a company 30 days to let you know if your personal information — such as your address or Social Security number — has been exposed by hackers or careless employees.” Source: CNN Money.

obama to push legislation

Separately, H.R. 234 was introduced in the House of Representatives by Congressman Ruppersberger, a Democrat from Maryland, pushing forward, “another go at the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the House in 2012, but got knocked down in the Senate.” Source: CNN Money

It is impossible to know if the Republican controlled House and Senate and President Obama will be able to work together to draft, negotiate and pass legislation to help keep Americans safer from cyberthreats. What is not so difficult to know or see is that this issue has reached a critical mass affecting everyday folks and that, without some additional action and effort to combat the threat, the results of these hacks and those to come will continue to grow and impact millions of Americans, their personal information and their privacy.

Four Cybersecurity Bills Pass Congress

While the Sony hack has dominated cybersecurity news the past few weeks, there was some other news concerning actions taken by the United States Congress on this front. In a little reported move, the 113th Congress in its waning days passed four (4) cybersecurity- related bills:
  • The Cybersecurity Act
  • The National Cybersecurity Protection Act
  • The Border Patrol Agent Pay Reform Act
  • Cybersecurity Workforce Assessment Act
4 cybersecurity bills pass congress

The Cybersecurity Act allows the Obama administration to start writing new voluntary standards for industry to use to prevent attacks on critical infrastructure like power grids.

The National Cybersecurity Protection Act requires the Department of Homeland Security’s National Cybersecurity and Communications Integration Center to start sharing information on potential threats with private companies, who bear the brunt of most cyber attacks.

The Border Patrol Agent Pay Reform Act also includes language authorizing DHS to boost the pay and benefits of new recruits focused on cybersecurity issues.

And the Cybersecurity Workforce Assessment Act requires the secretary of homeland security to determine how to bolster the cybersecurity workforce across the sprawling department.”

According to the Hunton & Williams Privacy and Information Security Law Blog, these bills, “(1) clarify the role of the Department of Homeland Security (“DHS”) in private-sector information sharing, (2) codify the National Institute of Standards and Technology’s (“NIST”) cybersecurity framework, (3) reform oversight of federal information systems, and (4) enhance the cybersecurity workforce.”

Screen Shot 2014-12-23 at 2.44.28 PM

The President is expected to sign these four pieces of legislation, which represents the first time that Congress has passed and sent major cybersecurity legislation to the White House in 12 years.

IoT Security Threats: Know and Prepare for Thy Enemy

The Internet of Things (IoT) is widely regarded as the third and most significant wave of the Internet. It  promises some amazing advancements in literally every industry, from healthcare to energy, to smart cities and smart homes, that will impact us all in ways we have yet to imagine.

As I’ve discussed before, however, IoT also presents new challenges to cybersecurity and privacy. It isn’t a question of if there will be negative IoT impacts, but when, how severe and how pervasive will those negative impacts be.

Untitled

It’s in that regard then that I share this article by Network World’s Colin Neagle.

5 IoT security preps

In his post earlier this week entitled, “5 ways to prepare for Internet of Things security threats,” Neagle recommends the following to prepare for the inevitable IoT cybersecurity challenges before us:

  • Don’t underestimate the security impact of the Internet of Things
  • IT and operations need to communicate when buying, deploying smart devices
  • Keep track of software updates for smart devices
  • Educate end users on the risks
  • Educate IT on the nuances of the IoT

All are helpful, but perhaps none more than the first. Understanding and comprehending what an organization is up against – and what is at risk – is the cornerstone to safely leveraging and operating in the IoT marketplace.

To be honest, it reminds me of something I learned in grade school: students don’t plan to fail, they fail to plan. It will be the same with enterprise and IoT. Successful organizations will not only have the vision to leverage IoT solutions and drive profitability for themselves and their clients, but those organizations will also recognize IoT threats coming around the bend and will prepare ardently and diligently for them, in response.

The Real Power of IoT is in the (Big) Data

It’s often said by folks who know about the Internet of Things (IoT) that within the next 5 years or so, 50 billion devices (give or take) will be connected to one another through the Internet. Generally speaking many believe that these devices will open up a world of innovation and creativity driving new solutions in smart cities, energy production, manufacturing, transportation and healthcare, to name a few industry sectors.

Screen Shot 2014-11-25 at 5.05.18 PM

 Infographic developed by Intel. See http://tinyurl.com/pzec2la

What is sometimes left out of the conversation, however, is the potentially more life-altering impact that the data created by all these devices will have on everyday life. Enter “Big Data,”  the enormous amount of information that will be generated by those billions of connected devices in our cars, our homes, our factories and our cities.

This nexus was recently made crystal clear in Howard Baldwin’s  Forbes article that discussed Big Data analytics and the value of the same in the IoT:

“…[O]nce the Internet of Things gets rolling, stand back. We’re going to have data spewing at us from all directions – from appliances, from machinery, from train tracks, from shipping containers, from power stations…” 

Forbes IoT and Big DataCiting Drew Robb in his Enterprise Apps Today article, How IoT Will Change Big Data Analytics, Baldwin said that, by way of example, “Duke Energy’s Emerging Technology office is thinking about how to take advantage of communication from buildings, vehicles, people, power plants, and smart meters.”

According to Baldwin, “As one of Robb’s sources noted, “Every enterprise needs to factor in how the Internet of Things is going to affect them and their business, and must respond by establishing the right infrastructure to support this level of Big Data and analytics. If they don’t, they will fall behind.””

There will undoubtedly be thousands of companies who figure out how to add connectivity to their devices. The real prizes, however, will go to those who understand how to successfully harness and analyze the big data created by those devices, making possible previously unimagined ways of doing things and living our lives. Now  is the time to begin that journey.

 

Financial Firms Spending $2 Billion More on Cybersecurity

We can now add U.S. banks, insurers, money managers and other financial companies to the growing list of organizations spending more to protect and guard against the growing problem of cybersecurity. As reported by the Wall Street Journal this week, “Financial-services companies plan to bolster their cybersecurity budgets by about $2 billion over the next two years, according to accounting and consulting firm PricewaterhouseCoopers.”

“While Internet breaches have hit everyone from big-box retailers to the U.S. Postal Service, banks and investment firms are in the spotlight because they have been attacked frequently and handle reams of sensitive client data, including millions of checking and savings accounts. Banks’ response has been to spend more. Citigroup Inc. ’s annual cybersecurity budget has risen in recent years to more than $300 million, people familiar with the bank said.” (Emphasis added).

WSJ Firms bolster Cybersecurity budgets

“Overall, the number of financial firms reporting losses of more than $10 million from cybersecurity incidents increased more than 140% from a year ago, according to the PwC report. Financial-services companies accounted for 34% of all breaches in 2013, almost three times the percentage of the public sector, which garnered the next highest reading, according to the Verizon 2014 Data Breach Investigation report.” (Emphasis added).

Considering the risks involved and the highly sensitive and private nature of the information handled, stored and processed by these firms, this is definitely welcome news. It is also, however, a sign of things to come and an unwelcome indicator of the current threat level that companies in all industries face. Cyberthreats are real, they are increasing, and they can be devastating to consumers and the companies who serve them. Organizations across the spectrum would be well served to conduct their own risk analysis and dedicate whatever resources are needed to address these threats and ensure to the best extent possible the privacy and security of the information they are entrusted with.

WSJ cyber spike graph

 

Are 3rd Party Vendors Our Biggest Cybersecurity Risk?

It’s happened again…

Following reports that the Target security breach was carried out by way of a breach at a third party (HVAC) supplier, now comes news that the Home Depot breach – that compromised more than 56 million consumer credit and debit cards – was accomplished by criminals using a third-party vendor’s user name and password to enter the perimeter of the Company’s network. This marks the second such vendor-accessed high-profile high-volume cybersecurity breach in the last twelve months, with a resulting unlawful disclosure of a combined two hundred million customers’ personal and confidential information.

Screen Shot 2014-11-12 at 10.46.43 AM

In both cases, compromised or stolen data from the vendor was used to penetrate the outward facing retailer’s cybersecurity defenses – once in, criminals were able to hack,  navigate, expose and capture personal information.

“The attacker is just going after access vectors that for whatever reason remain weak,” said TK Keanini, CTO at Lancope, in an email. “[ ]  Supply chain is ripe and attractive because 1) it often has more access than it really should to the firm; and 2) the firm grinds down these suppliers’ margins so low that suppliers then cut costs by cutting security spending: It is going to get a lot worse before it gets better.”

Unfortunately, these breaches are certainly not the last we’ll see that are vendor-originated. They do, however, fully illustrate the need for organizations to carefully and thoroughly vet their suppliers, including and perhaps especially those who provide products and services seemingly unrelated to technology or networking. Procurement, legal and IT should all be part of the vendor selection and on-boarding process to help best protect the organization, its assets, its reputation and its customers.

IoT Standards Movement Continues to Grow

The proliferation of standards for the Internet of Things (IoT) continued its growth today when the AllSeen Alliance, a “nonprofit open source consortium dedicated to driving the widespread adoption of products, systems and services that support the Internet of Everything,” announced that its group had expanded with the addition of nine (9) new companies and one new sponsored member.

dog hunter (IoT WiFi modules, control and sensor management solutions), FengLian (commercial WiFi and intelligent home product and support provider), ForgeRock(R)(identity relationship management solutions ), INSTEON (networking technology for the connected home), MobilityLab (next-generation enterprise mobility solution MobileSputnik), NETGEAR (global networking company), Organic Response (sensor-based lighting control system), Quanta Computer (Fortune Global 500 Company, the largest manufacturer of notebook computers) and VeriSign, Inc. (global leader in domain names and Internet security) have joined the initiative according to the press release. New sponsored member Korea Electronics Technology Institute also joined the group. The Alliance now totals 80 companies and 12 sponsored members.

“AllSeen Alliance members are collaborating to advance the seamless connection of a range of objects and devices in homes, cars and businesses by building out an open source software framework, called AllJoyn(TM). Through code that is available today and continuously updated through contributions by members and the open source community, AllJoyn acts as a common language for devices to interact regardless of brand and other infrastructure considerations.”

Screen Shot 2014-11-05 at 9.30.26 AM

 

Standards-making bodies such as AllSeen have been growing rapidly over the past few years, as the quest for common languages, rules, requirements and protocols tries to keep up with the advancements in technologies now driving IoT.  Other groups including but not limited to the Industrial Internet Consortium, the Open Internet Consortium, JCA-IoT, IoT GSI, GSC MSTF, Thread, and the International Organization for Standards are all attempting to develop commonalities to support and drive the interoperability of the estimated 50 billion devices that will make up the Internet of Things in our homes, cars and workplaces by 2020.

Company Culture and Cybersecurity are Critically Intertwined

How serious is your organization about securing and keeping private the consumer and other data you access, handle, store or otherwise process? Put another way, does your company culture emphasis and value the allocation of precious resources to fight cybersecurity threats?

These are particularly important and timely questions to ask, especially in light of recent well publicized data breaches affecting millions of Americans. According to a recent New York Times article, one of those breaches involving Home Depot was due at least in part to years of neglect and a lack of attention to vulnerabilities and warnings by former members of the company’s cybersecurity team. This alleged culture that stressed “selling hammers” over securing data left the company open to attack from malware that it says “had not been seen before and would have been difficult to detect.”

Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.”

Screen Shot 2014-10-29 at 12.48.32 PM

Additional investigation (and litigation) will likely tell more about whether and to what extent company culture played an integral part in the data breach that ultimately compromised 56 million of Home Depot’s customers’ credit cards. In the meantime, however, all organizations – for-profit and non-profit – should be taking a long hard look at how they value cybersecurity. Is company culture deeply intertwined with a dedication to keeping data safe, or is the privacy and security of information ‘something for IT to worry about?’

Federal Regulation Coming Soon to the Internet of Things

It was really only a matter of time…to the extent that the Internet of Things (#IoT) isn’t already regulated by existing state and federal rules, the United States Senate now appears to be taking at least preliminary steps towards legislation that would specifically apply to IoT. According to an article published in The Hill today, “A bipartisan group of lawmakers on the Senate Commerce Committee wants Chairman Jay Rockefeller (D-W.Va.) to hold a hearing on the millions of new connected refrigerators, cars and other devices.”

“‘The so-called “Internet of Things” is “sparking a number of important policy questions” about security and privacy, Sens. Deb Fischer (R-Neb.), Cory Booker (D-N.J.), Kelly Ayotte (R-N.H.) and Brian Schatz (D-Hawaii) wrote to Rockefeller and ranking member John Thune (R-S.D.) on Monday. Congress should engage on the issue cautiously and constructively, in a bipartisan fashion, and we appreciate your leadership in examining this topic,” they wrote.'”

This is an important but not unexpected development, especially given the rash of recent highly publicized data breaches. It’s also not truly the first foray of the federal government into IoT, as the Federal Trade Commission (FTC) in November of last year held a public workshop on IoT privacy and security implications.

Read The Hill’s full article here, and stay tuned for more federal action on IoT to come.

Screen Shot 2014-10-21 at 12.58.20 PM

“Now is the right time for the Senate Commerce Committee to hold a hearing…”

John Ansbach on IoT, Cybersecurity & the Technology Trends of Tomorrow