SAN FRANCISCO — New European privacy rules, the spotlight on Facebook’s role in the 2016 elections, and the potential that cyberattacks targeting devices could harm consumers in their homes are propelling the tech industry to question its security practices and prompting top executives to promise to make amends.
During five days at the annual RSA Conference last week in San Francisco, top executives from the world’s largest technology companies, including Google, Microsoft, IBM, CISCO, McAfee and Symantec, said they took the scrutiny seriously and would not only step up to make their own devices and software safer but also work with thousands of vendors worldwide urging them to do the same.
A handful of government officials showed up at the conference to cajole as well as scold the companies. Congressional aides warned that lawmakers were likely to push for new legislation. And security experts said everything from medical devices to cloud data servers continue to be vulnerable to attacks and sabotage.
“GDPR is the first indication that something is going on … and if we don’t take control of our destiny, it’s going to be controlled for us,” said John Stewart, chief trust officer at CISCO, the maker of networking hardware and telecom equipment.
GDPR is the European Union’s General Data Protection Regulations that take effect next month and will demand that tech companies offer European citizens greater control over their personal data and allow consumers to opt in to share information. Companies will face stiff financial penalties for data breaches.
Technology companies “need to talk to governments and one another” about how to improve the security of computers and devices, Stewart said.
“We don’t demand vendors develop products with security in mind,” he said. “Let’s stop this madness. Imagine a world where you can trust a vendor … you know, that a company and colleagues you work with care just as much about security as you do.”
Watch: How to Change Senate Rules, Slowly, With the ‘Book of Spells’
Rules without borders
Since the internet knows no borders, the European Union rules are likely to affect companies all over the world if they sell products and services to Europeans. Even companies that don’t directly do business in Europe but store data there could be subject to the new regulations.
Although there are no U.S. federal data privacy laws similar to GDPR, state laws differ in how they regulate the level of protection required and the punishment for breaches. But that could change because of GDPR, said Russ Schrader, executive director of the National Cybersecurity Alliance, a nonprofit group that helps educate small and medium-sized business on data privacy and security.
“GDPR is going to drive the process in the United States because of [the law’s] extra-territorial reach,” Schrader said.
Microsoft President Brad Smith announced several steps the company would take to improve security not just on its popular operating system and business software such as Word and Excel, but on microchips that power its Xbox gaming devices as well. The company also announced a new class of microcontrollers — thumbnail-sized chips — that power a range of internet-connected devices, also known as the internet of things.
More devices than people
Manufacturers are said to be shipping out 9 billion such internet-connected units each year, including baby monitors, voice-activated personal assistants and remotely operated door locks. As many as 200 billion such devices could be connected to the internet by 2020, or an average of about 26 for every person on earth.
Too many of these devices are being sold without a thought to security, said Homeland Security Secretary Kirstjen Nielsen.
“Too often, in a rush to be first to market, young companies are disincentivized to build security into their products,” Nielsen said. “Why sell a $30 cyber-secure pedometer for marathon runners when you can sell a basic version for $5? And who wants to buy the $30 version?”
Nielsen said her agency was working with companies across the United States to change tech companies’ thinking from “first to market” to “first to market secure,” she said.
Given the proliferation of internet-connected devices, one of the bills in Congress that would address how federal agencies decide which internet-connected devices to buy may gain some support.
A bipartisan bill called the Internet of Things Cybersecurity Improvement Act — backed in the Senate by Virginia Democrat Mark Warner — would set minimum security standards for all internet of things devices that connect to the internet. Republicans Cory Gardner of Colorado and Steve Daines of Montana are co-sponsors, along with Oregon Democrat Ron Wyden.
That bill could get some traction, said Rafi Martina, a senior policy adviser to Warner.
Many devices come with factory-set, hard-coded passwords that cannot be changed and present attackers with easy entry points into larger computer networks, according to the draft bill.
Government agencies are increasingly buying and installing internet-connected devices in offices, and that poses greater challenges for government computer networks, Martina said. The bill would require the Office of Management and Budget and the National Institute of Standards and Technology to specify security measures agencies must take to prevent such devices from becoming gateways to larger networks.
Lessons from airplane hijackings
Tech executives said it’s not enough for companies to blame consumers and users for sloppy security practices such as not changing passwords or carelessly plugging in a removable storage device. Companies and governments around the world should join hands to improve security for users everywhere, said Christopher Young, the CEO of the computer security firm McAfee.
The proliferation of cyberattacks by criminals and hackers backed by nation states resembles the spread of hijacking of airplanes in the 1970s, Young said.
Governments routinely paid ransoms to placate hijackers at first. But after a hijacker threatened to fly a plane into a U.S. nuclear facility in the 1970s, the federal government instituted baggage and passenger screening rules, Young said. Since then, every new threat to air travel has been met with stringent rules, he noted.
Responding to the growing threats, pilots and crew are highly trained to deal with threats, and the tech industry should adopt similar practices, Young said.
“If you look to air travel industry, they are obsessive about safety and security, from pilots to everyone in the industry,” Young said. “Cybersecurity hasn’t yet reached the level of priority in order to truly manage the attacks we face.”