FTC's "Things" report has too much faith in present to secure future

WTF FTC?

On one hand I have to applaud the Federal Trade Commission for getting out in front of the coming Internet of Things (IoT) glut, estimated at 50 billion devices by 2020.

With the other, I just have to slap my forehead.

The security suggestions in the FTC's 71-page report, while pragmatic are no different than best practices offered today for security that is built-in by vendors, added by third-parties, maintained by trained "experts," overseen by IT executives, and mostly flies over the head of low-tech consumers, the group the FTC report addresses.

These are mostly the same security best practices that were in place during the past 14 months of Breach-a-Geddon.

We can't contain bad actors and data-greedy apps with today's security and security settings, how does that look when we add 50 billion Internet connected devices trading in data and force-feeding analytics engines?

In November I wrote about the folly of today's "things on the Internet" and the 20 miles of bad road to be traversed to reach a smoothed information superhighway called the Internet of Things.

Dare I utter the dreaded word: legislation? At least one of the FTC's suggestions has the backing of the agency's long legal arm.

Is this mark familiar to you UL®?

Many people immediately think electrical safety, but this registered trademark has expanded to include sustainability/renewable energy and nanotechnology. The mark also ensures the safety of sprinkler systems, personal flotation devices, and bullet resistant glass.

UL, a global independent safety science company, has "a broad range of services that support every stage of the product life cycle. UL works with retailers, we consult with governments and we collaborate on standards that create level playing fields."

Sounds similar to what the FTC had in mind. And the future-resistant FTC will be glad to hear UL dates back to 1894.

IoT needs a UL.

I don't expect the FTC to be Nostradamus-like on the future of security, but here's what it suggested in its report (with my commentary added) on a coming burst of privacy-stretching technology innovations and unprecedented data creation/sharing. Will this list create adequate security?

• Companies should implement "security by design" by building security into their devices at the outset, rather than as an afterthought. (See: Preaching This For Years).
• Companies must ensure that their personnel practices promote good security. Companies should ensure that product security is addressed at the appropriate level of responsibility within the organization. (See: Fired Target CIO).
• Companies must work to ensure that they retain service providers that are capable of maintaining reasonable security, and provide reasonable oversight to ensure that those service providers do so. Failure to do so could result in an FTC law enforcement action. (See: Now You're Talking).
• For systems with significant risk, companies should implement a defense-in-depth approach, where security measures are considered at several levels. (Refer to Previous: Preaching This For Years)
• Companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer's device, data, or even the consumer's network, including strong authentication. (Disclosure: Clearly I'm on board with this one).
• Companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities. (See: 17 Years Of SQL Injection)