TORONTO – Canadian communications providers have to become leaders in the debate about the importance of privacy and cyber security to educate consumers, an expert has told a telecom conference.
“They have to be much more vocal,” Ann Cavoukian (pictured), executive director of Ryerson University’s Privacy and Big Data Institute, said Monday at the annual Canadian Telecom Summit in Toronto. “We’ve had a lot of conversations but we need much more to explain to the public: ‘This is your data. Telcos may have custody and control, but they don’t own your data. They don’t have right do what they want with it.’ So we need some constraints because its extremely sensitive information.”
At the same time she slammed Bell Canada for admitting last month that almost 2 million email addresses and 1,700 customer names and/or telephone numbers had been stolen in a data breach. “It’s amazing security could be so weak that it could affect so many Bell customers,” she said.
Her comments came during a lively panel on cyber security. Cavoukian acknowledged that Telus has put the privacy of customer data in the headlines by going to the Supreme Court of Canada to demand that police get a court order before telcos could be compelled to hand over certain telco customer data. Panelist Stewart Cawthray, general manager for enterprise security at Rogers Communications enterprise business unit, added that his company fought an Ontario police department in court over its demand for thousands of wireless customer records from one cellular tower during a bank robbery investigation.
Much of the tone of the debate, however, focused on how little consumers know about security and privacy, particularly about Internet of Things (IoT) devices, such as home routers, connected cars and even smart phones.
We’re just seeing the tip of the IoT problem, maintained Gary Sockrider, principal security technologist at Arbor Networks. Unsecure IoT devices, particularly poorly protected Internet-connected security cameras, are being harnessed to create huge botnets that can be leveraged for distributed denial of service (DDoS) attacks, he said. Last year’s Murai botnet attack on a U.S. cyber security reporter and domain name system (DNS) provider Dyn Inc., are just the start of a new level of attacks, he said. But far too many IoT devices are built with poor security, leaving them vulnerable to being taken over.
Carriers have only limited visibility into their networks and can only scan so far, said Cawthray but, he and Sockrider said, there’s too much pressure for IoT device manufacturers to get products to market fast, so they do it without proper testing. “There’s always benefit being first to market, but no benefit to being the most secure right now,” Cawthray said.
One big problem, he maintained, is that many consumers and small businesses don’t care. “They don’t believe they’re a target right now.” During the Murai attack many companies believed it was just an assault on a DNS company, he said. “They may not realize their small business may have been used in that attack.”
“So really stressing to Canadian businesses that you’re never too small to be a target” is important, he said. “There is always going to be someone who will find your data to be of value. There is always a market for it.” But small companies don’t understand a data breach can put them out of business.
That’s why he’s looking forward to the implementation of new data breach reporting obligations that may finally shed a light on the how many companies are breached each year. Once the public is aware of the depth of the problem there will be more pressure for secure online solutions, he hopes. However, the federal government is still drafting reporting regulations. They may not come into effect until next year, meaning statistics may not be available until 2019.
“There needs to be an industry standard for how secure IoT devices should be developed.” – Gary Sockrider, Arbor Networks
As for who has the bigger responsibility for privacy and security – consumers for not pressing the issue or knowing the risks, equipment manufacturers for not being tough enough, or service providers who run the networks and sell some IoT devices – opinion was divided.
“It’s a balancing act,” said Sockrider, because device manufacturers have to have to meet requirements of operators, consumers and regulators.
Ultimately there has to be a partnership across manufacturers, service providers and the consumers, he said, all of which have to agree they play a role so together there can be solutions all can live with. Carriers can’t stop a weak or unchangeable password on a sensor from being exploited, said Cawthray, but, he added, when consumers start demanding secure solutions, IoT vendors will follow.
In the meantime, he showed some frustration. “I’m the last person to say we want some form of regulation, but … there needs to be an industry standard for how secure IoT devices should be developed. A framework or model for developers to work from … that says if you’re building a connected device these are the base security controls you should build into it.” Then consumers and corporate buyers would have a choice of products to buy.
There is an industry group that has created a standard – The Online Trust Alliance, now part of the Internet Society. In an interview after the panel Cawthray applauded its work but said it isn’t widely accepted.
The last word goes to Cavoukian, who reminded Internet providers in the audience that there’s a cost to not providing security to customer data – in lawsuits and loss of brand reputation.
Photo by Howard Solomon
