Professor Jill Slay, the director of the Australian Centre for Cyber Security at UNSW in Canberra, has delivered a scathing attack on the IoT industry for failing to design in security, on the vendor community for peddling false promises, and bemoaned what she sees as a general lack of leadership in cyber security.
Delivering a speech at the Everything IoT conference in Sydney, Slay opened her presentation by telling the audience: “I am the person who is going to pour cold water on all your enthusiasm.”
Of her role, and that of other security researchers she said: “We have hacked every kind of device you can imagine. We walk a few steps behind you agile people who adopt new things. Then we attack them and tell you why you shouldn’t use them. That is who we are. … Our mantra is: ‘Don’t bolt on the security afterwards, build it in at the beginning.’ Security by design. Hack it to death yourself.”
She called on all involved in IoT in Australia to develop a culture of security as a matter of urgency. “The Internet of things has a bright shiny future, but we are way past the beginning already. We need to build in the security now. “I commend you all for your excitement and I trust you will secure everything. Let us develop a culture of security as we develop a culture of agility.
Meanwhile she accused vendors of making unrealistic promises about their technologies. “I live in Canberra. What I see is the vendor solution to everything. It would appear that we just have to buy the right tool and the right vendor training for the tool and then we will see a system that is secure. If anybody promises you that, it is just not true.”
Slay claimed that the growth of cyber crime in Australia had been “exponential” but was under-reported. As a result, she said insufficient funds were being devoted to combatting it.
“In Queensland there are more reports of domestic violence than of cyber crime, so more resources are put into that. We don't have the finances and we don't have the resources to tackle cybercrime.”
Slay said that, despite the government having a cyber security strategy there was no clear cyber security leadership in Australia.
“If you live in my world, in the training, teaching and research world, it is really difficult to understand who wants to be the leader in cyber security. Who wants to say: “This is the direction we should go nationally’.”Read more: Clock ticking for cyber security laggards?
She acknowledged there was now a government cyber strategy but said: “If you look at the literature, and that is what professors do. There are two major voices in the literature. One is the computer scientists that have done great work in developing the algorithms, but also this is the realm of cyber security for national security and cyber security gets mixed in with national security.”
Compounding the problem, Slay said was a great shortage of cyber security professionals. “We have a huge shortage of data scientists, a huge shortage of cyber security professionals and an even greater shortage of those who can deal with data science and with cyber security.”
Also, she said cyber criminals would always be more agile than organisations seeking to counter them.“As law abiding companies we have to be governed by policy, regulation, law and ethics. The bad guys are not governed by policy, regulation, law and ethics. So even if we become as agile as possible, they will be much more agile than us.”
Slay predicted that poor security practices among SMEs would make large organisations vulnerable, despite their own best efforts. “I feel the top end will be reliant on the bottom end, and that is where the risk will be.In Australia we have a lot of SMEs and they struggle to deal with cyber security because it is hard for them to access the right level of expertise at the right costs.”