Following the FTC’s recent announcement of its intention to study security update practices within the mobile industry, there is growing frustration in some quarters that the regulations take little account of the impact on the Internet of Things (IoT). Here, Jeremy Cowan reports on reaction to the regulatory hold-up and one company’s Asia-Pacific initiative to counter cyber attacks.
Cesare Garlati, chief security strategist of the prpl Foundation, former vice president of mobile security at Trend Micro, and current co-chair of the Cloud Security Alliance Mobile Working Group, is expressing his frustration at the scope of the FTC (the USA’s Federal Trade Commission) project.
Garlati tells IoT Now, “Mobile is now just a small fraction of the devices that surround us. In the years that passed since the FTC began publicly discussing this issue in 2013, the threat landscape has changed so much to be almost unrecognisable. This effort is a good first step, but it needs to have a much wider scope in order to be effective — every connected device could pose a threat, and the hyper-focus on mobile security updates simply isn’t enough.
“Every connected device needs a clear path for receiving these critical security updates. What good is it if your phone is up-to-date if your home access gateway has been exploited? What about all other consumer IoT devices? IoT is still very much in its infancy – with people eager to get their hands on the latest and greatest connected devices and manufacturers rushing to get them to market, and security is often an afterthought,” Garlati complains.
The FTC has announced that in order to gain a better understanding of security in the mobile ecosystem, it has issued orders to eight mobile device manufacturers requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.
The eight companies receiving orders from the FTC are: Apple, Blackberry, Google, HTC America, LG Electronics USA, Microsoft, Motorola Mobility, and Samsung Electronics America, Inc.
Among the information these recipients are ordered to provide are: The factors that they consider in deciding whether to patch a vulnerability on a particular mobile device; detailed data on the specific mobile devices they have offered for sale to consumers since August 2013; the vulnerabilities that have affected those devices; and whether and when the company patched such vulnerabilities.
The orders issued are said by the FTC to be “part of the FTC’s ongoing efforts to understand the security of consumers mobile devices, including a workshop in 2013 and a follow-on public comment period in 2014. The Federal Communications Commission is conducting a separate, parallel inquiry into common carriers’ policies regarding mobile device security updates.”
… as NEC sets up Asia-Pacific links to a new corporate cyber security centre
While Garlati’s focus is on the domestic consumer and the risks to smart homes, others with security concerns are focusing on the risks posed by cyber attacks against enterprise and government IT systems.
Recovering from these attacks can cost millions of dollars and cause substantial delays in critical capital expenditure (CapEx) projects. The costs can also spiral with the widespread adoption by enterprises of the smart technologies and connected devices that make up the Internet of Things (IoT).
Now, one blue-chip Japanese IT company has decided to take its own steps to offer enterprise clients enhanced cyber security. Responding to the challenges NEC Corporation (NEC; TSE: 6701), is establishing a new Global Security Intel Centre (GSIC) in Adelaide, the home of the South Australian Government’s Smart City initiative.
NEC, together with its regional ICT services and solutions subsidiary, NEC Australia, has announced plans to establish a AU$4.38 million (US$ million) Global Security Intel Centre (GSIC) in Adelaide, Australia to address growing global demand for cyber security. The GSIC facility will aim to ensure that better cyber security enables the adoption of new, more efficient business models that in turn translate into new business opportunities.
The facility builds on NEC Australia’s recently announced memorandum of understanding with the University of Adelaide’s Smart City initiative, under which the organisations will collaborate closely on research and development.
The South Australian government has welcomed NEC Australia’s investment as a major boost to the state’s ICT capabilities, in particular in the cyber security domain. South Australian’s minister for Investment and Trade, Martin Hamilton-Smith says, “NEC’s investment will help South Australia achieve global prominence in the cyber security field, and complement the Smart City initiatives already underway in Adelaide.”
The centre will create 50 new high-value jobs in South Australia over the next five years, making the state a more attractive destination for the ICT skills in high demand by organisations operating in South Australia, and newer entrants that have established themselves in the state.
“Adelaide has quickly become a destination of choice for companies in the technology and creative industries space. We offer a vast talent pool through the three local universities and a competitive business environment that ensures tech companies can grow and thrive in South Australia,” adds Hamilton-Smith.
The initiative contributes to NEC’s mission to add social value through technological innovation. It also reflects NEC’s understanding that combating cyber attacks requires a global perspective. To this end, the facility will complement NEC’s investments in cybersecurity-focused facilities located globally, including Japan and Singapore.
Mike Barber, chief operating officer of NEC Australia said: “South Australia is providing NEC with a great base to bring new technologies into Australia. Adelaide is a recognised hub for new technologies and we’ve worked with a lot of local partners with great intellectual property delivering innovative technical solutions.”
“This isn’t just about the creation of 50 new high-value jobs in South Australia over the next five years – this is a major global investment in a growth sector,” Mr Barber said.
“We see the cyber security demand in Australia and the Asia-Pacific region as a huge opportunity aligning with the company’s global vision.”