In episode 28 we learn about all angles of cybersecurity with John Moor – MD, The IoT Security Foundation, from the biggest security threats facing the IoT ecosystem in forms of the digital and physical to how we can unify best practices that will put us one step ahead! 🛡🔒🛡
And Remember if it is not secure it is not safe!
John Moor is the Managing Director of The IoT Security Foundation, leading Cyber-Security development as a globally renowned non-profit organisation helping secure the Internet of Things, in order to aid IoT adoption and maximise its benefits. To date, the IoTSF has over 100 companies membered on the march to make it safe to connect.
Sit back, relax and be the first to discover:
- John’s background and why he moved to the world of cybersecurity- the 3 B’s of security 00:30 – 06:30 🛡
- What the IoT Security Foundation is and how it came to launch 06:30 – 08:55 🔒
- Industries most prone to security threats 08:55 – 13:00 🛡
- The biggest challenges when it comes to implementing security- The three C’s of security 13:00-16:18 🔒
- Why is it so crucial to implement security and change the conversation? 16:18 – 20:16 🛡
- The biggest threats to IoT security: Will there be a technology war? 20:16 – 22:45 🔒
- Cyberphysical threats – 22:45- 28:05 🛡
- How we can all work together to become more secure 28:05 – 34:22 🔒
Welcome to the IoT Podcast Show. Today I am joined by John Moor. John is the managing director of the IoT Security Foundation. John has an extensive background in security and leads the Foundation which is a globally renowned non-profit organization helping to secure the Internet of Things.
As it stands at the moment, there are over 100 company members on the march to make it secure to connect and as the saying goes, “If it’s not secure, it certainly isn’t smart.” John, thank you and welcome to the show.
Thanks for inviting me Tom. It’s a pleasure to be here. We’ve talked about it for some time now and I’m delighted to finally make it happen.
What is your IoT background?
Thanks John. Yeah, I mean we definitely have spoken about it quite a few times but I know we’re both busy, lots of things on the agenda but yeah, I’m delighted that you’re on here. Obviously I’ve been involved with the Foundation for a couple of years via my other business and loved the work that it does, quite unique actually in term of as a community and the people that you have there. Perhaps that’s a nice way to start, I suppose John. I mean, can you just introduce yourself, your background in IoT and really the mission of the Foundation?
Yes, certainly. Well let’s start with me. So John Moor, managing director of the IoT Security Foundation. Interesting, I think you called me an expert in the space. I don’t think of myself as an expert. My background really is in embedded systems, back in the day when I was an engineer. So that’s the first thing we start with, I describe myself as an expired engineer, expired embedded systems engineer.
Very honest John.
And since the days that I was doing engineering, of course I moved into management. I was the founder of a company based out of Bristol. [inaudible 00:05:33] semiconductor company called [Pixel Fusion 00:05:36] back in the ’90s. We didn’t quite make it but the work carried on in various guises. But the genesis, I think, of the IoT Security Foundation, I was working for the National Microelectronics Institute and the chairman of the time, this is back in 2015, came to me and said, “John, do you think we should take a look at IoT security?”, and bearing in mind that the chairman at the time was the CEO of an IoT company, a company called [Mule 00:06:08], very astute, very well respected semiconductor professional by the name of [Stan Boland 00:06:14]. In fact doing amazing things now in the autonomous driving space.
So when he asked me, “Do I think we need to take a look?” It wasn’t really a question. It was a, “I think you need to go and take a look.” So the original response from me was I was little bewildered to be honest because the first thing was, I thought, “What’s there to see? Isn’t cybersecurity quite mature?” My second response was, “Why me? I don’t know anything about security. I’m not an expert.” My background was in innovation and semiconductors and the emerging markets. But there we go.
So I got the brief, “Go and have a look,” and from my original, “What’s there to see?”, very quickly I built up a picture of, “My goodness, I guess it real quick,” because if you just took a scant look at the headlines at the time, clearly the situation was dire. What I now know after six years of looking at the space, I kind of put it in different phases.
The first phase I see is being what I would call the PC era, where we learnt quite a lot about computing and connecting computers up and one of the things I learned along the way is that Windows XP, Service Pack 2, was actually written by UK government people because they liked the idea of Windows XP but the security absolutely sucked. So that was an interesting thing to find out along the way. What we then got on top of… We kind of got on top of… We’re still getting on top of PCs, so security’s pretty good actually around PCs. I don’t think we’re unduly worried about it although we still need to be vigilant.
Then we go into the mobile era and the mobile era was better than the PC era, still issues, but much better. Then we go into the era of IoT, what we’re in right now and we did a complete reset. In fact, the term I was using at the time was egregious and let me explain what we did.
In order to get a better view of things, we decided that what we would do is try to create an event, a summit, the IoT Security Summit, the first one actually in the world and I say that because there was a claim about three or four months after we did ours, someone else in the world said, “We’re doing the first summit,” and it was quite a delight for me to send them an email saying, “Yeah, congratulations on the first summit. You’re doing it only four months after we’ve done ours, the first one.”
So, we did a summit at Bletchley Park and what we tried to do is get a landscape piece together, so we had the CTO of ARM talking about it from an [inaudible 00:08:55] right the way up to the UK telecoms regulator about what they saw and everything in between and what was very clear was it was a very concerning state of affairs. And so as I say, the word I associate mostly at that time was the word egregious.
We did the event, as it happens, back on the eve of the 2015 elections, so we decided to have a bit of fun and we put voting slips out on the chairs and we said to people, “Has today been just an interesting event or do you think we need to do something about it?” And as I say, to use the vernacular, the 97% of the returning votes came back and said, “We definitely need to do something about it.” [inaudible 00:09:45], the 3% that came back that said no, we looked at the answers and we thought, “Oh, okay, we can see you have a vested interest in not doing anything.”
So it was pretty much 100%. So we asked that question. What we didn’t ask is what that something should be? So that was the next stage of my journey is to go out and look at and talk to as many stakeholders as possible to try to figure out what could be done to address this egregious situation.
And so several months later, in September we looked at the IoT Security Foundation. It’s kind of center of gravity was around best practices. We looked at other things, things like standards et cetera, but we decided there was no need for another standards body.
So it really was, the need is now, best practices were where it’s at and so we launched, September 2015, with a mission to make it safe to connect, to really try to help security IoT and what we were trying to do and what we continue to try to do is move the needle in the key areas, reflected in our founding values and the founding values of IoTSF are security first, fitness of purpose and resilience.
And I think for me, we’ll perhaps talk a bit more about resilience as we go on but that for me, coming from the embedded space, was the big area which was really interesting and really kind of summarizes the difference between where we were in what we now call kind of air gap systems and now connected systems.
And so along the way, we’ve adopted some terminology too. So we say, “We need to build secure, we need to buy secure and ultimately, we need to be secure,” and in the whole complexity of it all, and as you know, we talked about this many times, I often start talks by just stating, “IoT security is a wicked challenge. We cannot solve it completely but we can address it,” and so, [inaudible 00:11:46] with that, we then looked at the lifecycle of IoT and IoT systems and so, again, in the founding stages, we came up with this concept of supply chain trust. So that’s why we exist, that’s what we’re trying to do. It really is about making things better because it will never be perfect, so again that’s another phrase we use quite a lot. Do not let perfect be the enemy of the good. It’s important to be good, do the right things.
Yeah, thank you for that John. I think that’s a really nice phrase actually, do not let perfect be the enemy of good because often you find in security in traditional businesses, it’s somewhat an afterthought, isn’t it? And it’s a gold plating type exercise and that’s why it’s nice to have this community focused on the principles of security, sometimes by design and from inception and really focused on this from the ground up point of view. That leads me really nicely onto my next question actually. So, over a 100 members at the moment, is that right? Is that the number as of today? I mean we’re filming this in February 2021, is that an accurate number?
Yeah, I feel a little bit delinquent because I should be able to give you a snappy quick answer about exactly how many. What I can tell you is this, it’s two more than it was last week because we’ve had two more sign up recently. So yes, it went north of 100 fairly quickly and of course our ambition is to grow it even further. But the interesting thing is we started out with just corporate members but we saw for all the right reasons that we needed to open up a category of membership which is professional members. So we’ve got a lot of really great professional members too, and I’d love to give you a number but I can’t but we do have lots of those [crosstalk 00:13:39].
What Industries are most prone to security threats?
Don’t worry, I kind of put you on the spot. I should’ve told you about it in he five minutes before we started recording but nevermind. And out of those members, John, what industries predominantly are they from and what industries are the most prone to security threats and that you see from the members that are part of the IoTSF?
Well, do you know what? I’ve always thought of it as an ecosystem play and what I mean by that, it’s not one specific group that we try to appeal to. We know the manufacturers are absolutely key. If I take you back to the concept I was talking about earlier which is security first, fitness of purpose and then resilience, very clearly security first and fitness for purpose, for me anyway, really talks to the design community, so the producers of the technology.
We need to make sure that we provision the security controls at that end first because if you don’t, bolting it on as an afterthought is never a good idea.
But then we move into this thing called resilience and for me, that was the big eye opener about… And it’s so profound, what resilience means and what IoT means to businesses and the way we do design but resilience basically says, “Just accept the fact with your best efforts you will get hacked,” and why I say that with such certainty, it was one of the talks that we had at the Bletchley conference by the CTO of ARM. He said, “Accept the ugly truth, you will get hacked.” That means, “Do your best but make sure you’ve got processes in place to remediate once you do,” and I think that’s just what we see today. Data breaches are just a fact of life. It’s how you deal with them, [inaudible 00:15:24] important thing.
So the IoTSF membership is across the board so we have academics, we have industrial members, we have professional members, consultants, advisors, consumer electronics companies, industrial control companies. So it’s a really good mix actually. In fact we even have members who come in from a consumer type, consumer rights perspective which is really interesting to get insights even from that side of things.
And I got to say, even at the Bletchley Conference, what was really interesting, we attracted interest from the insurance industry because this is huge for the insurance industry. Security management is largely about risk and of course they underwrite risk.
In terms of where we see where the big threats are, where we started we decided that we would start the IoTSF story in the consumer space because that’s where we saw most of the issues emanating, by virtue of the fact that the barriers to entry were very low. So no regulation, actually it’s really low cost to bolt a bit of connectivity into your product and call it smart. So again at the time, there was quite a lot of amusement around smart kettles for example, “What do you need a smart kettle for?” Someone’s taken connectivity and made it smart.
I will add actually that we did invite the CTO of a chemical smarter who made one of the original smart kettles to come and talk at one of our conference and he did a great talk about how they went almost from like villain to hero in terms of what they were doing in security and it was a good kind of a journey that just really showed how companies were walking into this new opportunity without really understanding the full impact of putting connectivity and because what you do, you create an expanding attack surface and even if it’s not the thing that you’ve got, like the kettle, that may not be the subject to the attack. What it does, it gives you a pivot point into a network which then means that you can do other nefarious things.
So we started out in consumer and what we started to do was put our best practices together around consumer and of course, very quickly you realize a lot of this stuff is quite general purpose. So that’s what we did, we expanded it and we said, “Let’s not just constrain it to consumer.” A lot of it, the advice we put down in the best practices, just varies by degree.
If I refer back to our second value, which is fitness of purpose, again what you realize very quickly is that the application and the context that you are working in really determines the kind of strength and the investment you need to put into security.
So for example, consumer controls will differ from what we say put in medical or maybe in sort of national infrastructure but the concepts behind them, all the same, it’s just how much you move the dials up.
What I would also say is that we then kind of moved into kind of a subset of what we would call smart cities, so smart built environment and right now we’ve got a working group focus on different aspects of smart buildings.
Again, what we try to do is we see the nature of security is not just one group. It really is across a lifecycle. So that group is looking to produce materials for building owners, manufacturers, facilities managers and also the integrators because security, it’s a shared responsibility, so we need to provision that.
But in terms of where we are to date, Tom, we’re still trying to get out of the pandemic and there’s some light on the horizon of course but I think this year’s really highlighted a lot of concerns around the medical and healthcare space. So that’s kind of driven the priority for security.
But we can’t forget the traditional, the infrastructure and when I talk about infrastructure, we’re talking about manufacturing through processing, utilities and transport. Each of those have their own challenges, they have their own risk profiles and the impacts of attacks will vary depending on them.
But it very much is, to answer your question back at the top, this is what the digital transformation means. It’s all sectors are moving into this digital landscape and security needs to become right at the very heart of how we design, provision and maintain our systems.
What are the biggest challenges when it comes to implementing security?
Thanks John. Yeah, I mean it’s a really interesting point that you made regarding the pandemic and healthcare and MedTech becoming ever more so important now. In general, what do your members discuss about the biggest challenges when it comes to implementing IoT security? What are things that kind of come up again and again around that?
Yeah, to know, again, it’s a kind of a… It depends who you’re talking to and what time and what their focus is but it’s something that over the course, I’ve tried to simplify in my own mind about what are the challenges of security and a tool for me, I kind of adopted this concept of what I call the three Cs.
We like three at IoTSF. So I’ve said about build, buying… Sorry, build secure, buy secure and be secure, we got the three founding values, but the three Cs are, in terms of the challenges, the first one being cost. Nobody really wants to spend money on anything that they don’t see as important and sadly today, security in many areas is being seen as a cost. So cost is an issue.
Complexity. It’s a very difficult thing to provision. Again, I’ve already said, do not let perfect be the enemy of the good. Try to simplify. So cost, complexity and I’ve cheated a little bit on the third C. It should be convenience but it really, it’s inconvenience. What we know about behavior, if the security is inconvenient, people, businesses will try to find ways to work around it.
So the very high level, those are the things which challenge security.
But I think what we’re also seeing is what are the incentives for security and what shape do they come in? Disincentives, things like regulation. Regulation’s coming, we’ve been talking about this for some time now and so if we look at what’s going on here in the UK, we know the regulation is in process. I’ve been also looking across the pond in the US and the legislation that’s coming out in the US, I think it’s quite interesting because they’ve adopted slightly different approach and I remember somebody, actually it was [Bo Woods 00:22:48] at one of our conference, he talked about a carrot-shaped stick, which I quite like the idea of because it kind of says there’s a stick there if you’re not careful but it could be an incentive.
And so if I look at what’s coming out in California, the legislation, which has been criticized for being a little bit difficult to prosecute against because the language is too broad, but what that legislation basically is saying to industry is, “Legislation is here, which we can use. You need to do a better job. If you don’t, we’ll come in but guess what? If you are subject to a breach or some legislation, if you’ve shown to have taken steps, that will work in your favor. We’ll be lenient on you.” So that’s a good thing.
I think also what we saw just at the end of last year was the Cybersecurity Improvement Act in the US, which is now written into law that says if you’re going to supply US government with anything considered to be connected or IoT, it must meet certain standards, which are being produced by NIST, the National Institute of Science and Technology.
And so again, I think that’s a good incentive and although government is not the only market, it can only be a positive influence to help motivate companies to actually build security in.
So overall, it’s a really interesting situation because what we see is the need is patently clear for security. It’s patently clear in this digital transformation.
However, the demand is lagging. So we’ve got to look at ways how we work up demand and I’ve mentioned perhaps a couple of examples there where government can play, not just in regulation but also being as a purchaser. And I think that gives us some insights into not just the challenges but how we might start to overcome some of them.
What do people tend overlook when it comes to security?
Yeah. It’s interesting you should say that. So the need is increasing but the demand isn’t meeting the speed at which the need is increasing, right? And this is a really interesting topic and something that comes up a lot in people that I speak to, certainly on the show and in other aspects of how we’re involved in IoT is the general interest in security first, you mentioned obviously cost. Sometimes it’s quite prohibitive to people. There’s often a race to get things to market and often the security element can be overlooked in that kind of haste to get it out there into the wider world.
Clearly IoT is accelerating rapidly in certain areas. We’ve seen after the pandemic, we’ve had people talking about UBC lighting systems to clean air sensor-based transportation for fruit and vegetables to ensure that it gets to the locations quickly. Lots and lots of things and certainly proximity sensors on wearable devices. What is the thing that people need to think about when it comes to security and why that they should consider it over and beyond the cost element? I mean clearly there’s talk of it being the weakest link in the chain of a network but it would be really useful from your perspective so that we can tell companies why they need to be focused so much on security?
Yeah. Well, I think of course again, it depends where you are in that whole value chain and the emphasis of security and the responsibility that the companies [inaudible 00:26:44] will vary across that chain, and again, if I just break it down into kind of the three simple stages that I talked about in terms…
Actually the amusing story when we talk about the build secure, the buy secure and the be secure, again, I’m sure I’ve confided in you in the past that when we announced this, that we were looking to use this as a vehicle to communicate simply what we’re trying to do, one of our members put his hand up and said, “You know what, John? You got three BSs there.”
And I said to him, “Well, if three BSs helps you remember it, then that can only be a good thing.” And in actual fact, I did then go on to write a blog post which I think the title said something like, “Why IoT security needs more BS.” Again, it’s a good way of raising awareness and getting simple messages out.
So, in terms of… I think I’m going to start in the middle though, the buy secure. I think for any business that is looking to utilize IoT for the benefit of his business, for improved efficiency or create new innovations, whatever, then they’ve got to be asking their supply chain for security because the impact of insecurity can be really quite profound and I think they need to see it as an investment in securing their longterm business. In fact, that’s something we talk about, “Don’t see it as a cost, see it as a value-add,” and so we need to change the conversation around security.
And so, what does that mean? It means that you’re protecting your customers, you’re protecting your business, you’re reducing the threat of liability and downtime and all of those things because in this increasingly connected world, you are going to get hacked and you want to make sure that you’re resistant to that as possibly.
So buy secure. Make sure when you’re purchasing products, services, systems, you specify security in the purchase contract, and I think that then helps also, if I go back to the first stage which is build secure. If there’s no market for insecure products then guess what? Those manufacturers, those producers do not have businesses.
So what we have seen is the more, I don’t want to say responsible because it suggests others are being irresponsible when in fact they may not be irresponsible, they may just be ignorant to the fact of what they’re not doing.
But we saw a wave of, and we do see leading suppliers understanding the importance of security and they’ve built security into their products and services but for those who are kind of a bit behind the curve, it helps them catch up because, as I say, if there’s no market, then they don’t have a business.
So build secure, again, that’s really where IoT Security Foundation started and we started out with this notion of a checklist for manufacturers to demonstrate their security posture, their security credentials. That turned into something actually which is something we’re very proud of today and really much more fully featured, the IoT Security Compliance Framework.
And the concept behind the compliance framework, as I say, it’s evolved. It started out as a simple checklist, it grew into looking at what happens on the products, [inaudible 00:30:17] goes right the way through the software state, web user interfaces, right into the network and actually back to the cloud.
But then we also looked at this concept of fitness of purpose. So although it’s a framework and we’re asking the manufacturers to submit evidence into spreadsheet but this is the requirement, demonstrate what is the evidence that you provide. And by the way, it may be that some of the requirements are not applicable, that’s why it’s become a framework. What it does it takes all the manufacturers through kind of a super set of considerations but we’ve a bit of, on the front end, we’ve said, “What is fitness for the purpose look like for you?”
And so we tried to make it very simple so there’s some dropdown boxes that says, “What are your requirements in terms of the confidentiality? What’s the requirements in terms of the integrity and the availability of systems?” And so, the great news is we’ve had… I forget. We were certainly [inaudible 00:31:27] for 6,000 downloads of that framework last time I checked, so it’s clearly something that the industry needs and is very interested to learn from.
So the build secure bit, the buy secure… I think actually the buy secure, we’re increasingly interested in making sure that the purchases specify, that’s so key. And the third part is the be secure because as users of systems, there are some certain things that we can all do to help improve the security over all and it’s simple things like update your software, don’t use weak passwords, that sort of thing.
What can we expect from security in the next few years?
Yeah, yeah, absolutely. I think it’s very interesting isn’t it that businesses often overlook this element but I think your Foundation, what you’re doing, hopefully this podcast is building awareness and it really does need to be built into the overall cost of a project to a solution, to a build, that this must be secure because in an ever increasing world, if there’s elements of this that isn’t secure, it’s going to cause disasters, right?
And I think it’s really good to get that message across and that’s why I wanted to ask it primarily John.
In terms of that and just going one step further, what in your view and that of the Foundation are the biggest threats to IoT security in the next five years. Obviously you’ve come on a journey since 2015 when that first speech happened from the CTO of ARM at Bletchley Park as you mentioned. What’s happening in the next five years? What should everyone be made aware of?
Well I think there some interesting concepts that you were talking about there which I’ll pick up on, at least one of them. This idea of in the land of security, one of the gods is a chap called Bruce Schneier and Bruce Schneier talks about security debt.
And I think it’s a great thing to think about because if we continue just to do things as we’ve done in the past without bringing in security into the digital transformation, we’ve got a future debt which is going to have to be repaid at some point in time and that’s either going to be because bad things happen or because we just have to go in and take that stuff out and replace it.
I mean, we can try to put mitigations around it which is very inefficient and put sort of sellotape over gaping wounds but there’s a debt. So let’s not incur the debt, let’s not accrue the debt, let’s fix it at the beginning.
The biggest threat… I mean, my original response is going to be like, “Wow, let’s not scare the children Tom because [inaudible 00:34:28] ultimately an insecure, hyperconnected world run by software, it can be an immense weapon and in the most extreme conflict that we have, which would be war, but we don’t want to go there.
And I’ve got to say, in my early days looking at security, each day I could’ve probably thought about two or three different Hollywood scripts about how things can go wrong because there were so many issues that you could see. But let’s not scare the children-
But I think it’s important that people know that though. Sorry to interrupt on that because ultimately that is where this could go. It’s like the classic ’80s film, WarGames, right? Potentially, if we’re not mindful and minding of the fact that this is so important and to raise the awareness, it could lead to that.
It could and look, let’s face it. In an increasingly connected world which is software defiant, that makes a very vulnerable world and I’m not thinking of course about script kiddies here or necessarily criminals. I’m thinking about rogue nation states who have long time horizons, they’ve got deep pockets, they’ve got great capability. And of course the point is though, I don’t think we should be too… Excuse me, too worried about that, too scared about by the way, because this is just the nature of humanity, humankind.
There’s always been wars, there’s always been technology and technology can be used as a weapon. So I think in the extreme case this will be used as a weapon.
But if we dial it down a little bit, I think we should be concerned about the cyber physical aspect of IoT and I think this is again, one of the big differentiators I see between traditional cyber and this thing called IoT because IoT does bridge into the physical world. We have cyber-physical systems. And what that means, there is a real threat to harm of human life and I think just last year, I think September time, we saw an episode where a patient couldn’t get treatment in a hospital due to a ransomware attack.
They were being transported to another hospital and died on route. So that’s certainly something that people were keeping an eye on, when was going to be the first death directly attributed to IoT. [inaudible 00:37:08] this case I just mentioned wasn’t directly attributed to IoT specifically but that is a real threat.
I have actually seen examples of cattle, the internet of agriculture. I forget what the acronym is there but we’ve seen possible linkages between IoT failing and cattle dying, but that’s not human of course. But those are sorts of things that we could see. But you know what? It’s that what we were saying Tom, it doesn’t need to come to this. We’ve got to just accept the probabilities exist, they’ve always existed, it doesn’t follow that they’ll be exploited.
We all have agency in the process too. If we do the right things, we can reduce the risk. Again, remember the BSs. We’ve all got a role to play there, do your bit. And I guess having done the deep dive, looked at all the scary scenarios, I’m actually much more positive now because I can see the progress that’s been made and I do see momentum building, I see governments getting involved and again, back in 2015, the FBI issued a warning to the public about the threats of IoT, but a few years later, the Five Eyes of New Zealand, Canada, Australia, US and UK, have published an accord to say, “We will jointly work together to reduce the risks in IoT,” and that was nations. So it was government saying, “There’s a risk to our citizens here so we must take steps.”
I’ve talked about the regulation that’s coming through. So I think we’re moving significantly in the right direction. We shouldn’t get complacent. We got to keep the pressure up but ultimately, where I would like to see this end… Or not end but the stage I’d like to see it get to is, I’ve often thought about security in terms of, I’ve thought about quality. When I started my career a few decades ago, quality, again, that was something that was bolted on at the end of a process, typically it’d be somebody inspecting something at the end of a bench.
And then we’ve got this concept of Total Quality Management, which was about integrating quality into every process within an organization. So it is assured by definition at the end of it and that’s what I see security, that’s where we need to get security.
So central to development. Security has to be central to development and it should become just integrated in everything we do, because that’s the digital transformation.
And again, I’ll put it across those audiences I talked about before from the manufacturers to the users to the ultimate end users. We’ve all got our role to play. So we have agency. Yes, there are scary things can happen but let’s not drive project fear. Let’s drive project value in terms of security.
Yeah. And I agree. It’s all about being proactive as opposed to reactive on this, and I really like that phrase you used about the… I forget the chap’s name, is it Brian? About the security being a debt.
Yeah Bruce Schneier.
When you get into the space, you find these luminaries who’ve been talking about this stuff for a long time and we’re now at that point where disconnected world has become mainstream, we’re all being connected and so suddenly the stuff they’ve been talking about for years is manifest everyday.
Where will the IoT Security Foundation take security protection for devices?
Yeah. And I think it’s important for people to know that certainly, I know you said it wasn’t directly IoT security related but the case of the patient traveling to the hospital, this goes beyond someone hacking into your IP CCTV camera at home. It goes beyond hacking into your fridge monitor and turning your fridge off, right? And I think sometimes there’s, when you look at articles and news cases around compromises in security for IoT it’s often these low value devices that people cite sometimes and it can have much more catastrophic effects in the wider ecosystem and yeah, thank you so much for highlighting that.
John, in terms of the Foundation, just going back to that, what are the hopes for the Foundation in terms of how you want to position yourself coming out of the pandemic, where you want it to go? Clearly you were the first, despite this other [inaudible 00:41:56] person mentioning that they had done one a couple of months afterwards, but where do you see this going in general and what can our listeners do to get more involved with the Foundation?
Well, I think let’s start right there. It’s getting behind the mission. What we would like to see is the Foundation is more people joined. The more people that join, the more corporates that join, sign up to the things that we’re doing, contribute to the things that we’re doing. The faster we can move, the more that we can do. So for 2021, if I could make a wish for IoTSF, is that we swell our membership ranks because as I say, we can do more. You mentioned earlier, we’re not for profit. We’re a not for profit company limited by guarantee. So every piece of income we have goes right back into the good that we do and it goes back out. It doesn’t go to shareholders.
I think what we’re also looking to do is expand our reach. We really need to get the goodness of what we do out to more places, get more people talking about this. So at our conference which we ran in early December, we went virtual of course and it was the most successful conference that we’ve ever run. We ended up with 1,000 registrations, we were truly global.
We had talks from Japan, from Singapore, US, of course Europe and other places. But what we’d like to do is our chairman announced that we are going to start local chapters, geographically dispersed around the world. So the second half of the year, watch out for that. We will be announcing the ability to create local chapters. [inaudible 00:43:39] very important.
I think something else that, I haven’t mentioned this but it is such a key concept in security, collaboration is key. We kind of inferred it in many places If you look at this complicated thing called IoT, it’s a landscape and an ecosystem of many moving parts, of many players and agents in there and what we’ve got to do as defenders, we’ve all got to work together. So collaborations for IoTSF will mean for collaborations at the kind of international level, not just technology but geographic too. And that’s key into something which I call not losing. It’s one of the other phrases I’ve used a long the way.
I’ve read a report, again, back in the early days when I was researching security, and there was this comment said, “The thing about cyber security is you cannot win. You can only not lose.” And I think that that’s an interesting idea and I agree with that but I do think there are ways that you can use it to your advantage. So collaboration is key, so more international collaborations. We announced a collaboration with the FIDO Alliance at the beginning of this year, really looking at the interesting passwords.
\We all talk about passwords and we kind of just assume that they’re necessary, we need them. But guess what? Passwords do authentication. There’s actually better ways of doing it than passwords and so we’re working with the FIDO alliance to try to reduce the dependence of passwords, and in fact maybe even eliminate them in certain parts of IoT.
And if you’re wondering how you can do that of course, just very simple example, pick up your mobile phone, you can use a face scanner, some sort of biometrics or you may have some sort of token, so it doesn’t necessarily need to be something that you remember. Again, if you look at expanding universe of IoT, nobody wants to remember more passwords, right? So there’s better ways of doing things but collaboration is key. And the reason why we want to do that is to make sure that we reduce fragmentation globally around regulations and standards and we make it simpler for people, that’s the important thing. We don’t want fragmentation.
But I think longer term, what I would like to see is that, well IoTSF and the many colleagues that we accumulate along the way are seen as a force for good, that security is better understood, that it’s managed appropriately, so we can all really feel the benefit of… We haven’t talked about a potential [inaudible 00:46:15]. I know lots of people talk about this. They always talk about it but we really want to feel that benefit without being frightened of the risk because-
And the worry.
John Moor :
And the worry. I would hope that we get beyond project fear, that we’re not afraid, that we’re confidant and we’re safe. And again, go back to the top of the conversation, make it safe to connect. That’s what we’re about. So that’s what I would hope and I know I’ve gone a little bit beyond this year, Tom, but that’s the long term. We need to amass lots of partners, a big army, because defense is actually harder than attack. An attack, you only need one way in but defense we’ve got couple of basics and we’re going to do that by getting many more people with the program. And so we start with my appeal, if this interests any of your listeners, come join the IoT Security Foundation. It’s good and it’s not expensive.
Yeah, thanks John. Yeah, I mean we’ll share the social media contact at the end of the video but yeah, I mean personally speaking for me, I’m well behind it. As you know, we sponsored a security champion in the past and I’ve often introduced people to you that really feel as though they could add benefit to the Foundation, they can get a lot from it and I think it’s this ability to unite lots of different people in different ecosystems to ensure that this is integral to any development moving forward and the debt, as Bruce has said, that we will have to pay for this in the future and that we’re not thinking about it now. I think that whole tonality, that whole piece is really critical to this.
John, thank you so much for coming on the show. I know we’ve been meaning to do this and talking about it but I think it’s been about six months actually, but it’s been worth the wait. It’s really, really good and I really genuinely do hope that you and the Foundation get the exposure that hopefully this can reach to increase memberships and to increase awareness of all the great work that you’re doing.
Yeah, yeah. As I say, the need is acute. It’s there, it’s patently obvious, we’ve got to drive the demand and we can only do that together I think.
Thanks Tom, thanks for having me.
You’re very welcome. Thank you John.