By Megan Bozman
Crowdsourcing may be a new trend, part of the ‘sharing economy,’ and it can be a great solution to some challenges. My husband once referred to Reddit as “crowdsourced humor.” Security definitely benefits from examination by a wide audience. The more individuals seeking weaknesses, in a “bug-bounty” style program, the stronger the security can become.
Smart Home Security Contest
The Federal Trade Commission announced a contest this week challenging the public to create an innovative tool that will help protect consumers from security vulnerabilities in the software of smart home devices. The FTC is offering a cash prize of up to $25,000 for the best technical solution, with up to $3,000 available for up to 3 honorable mention winners.
IoT Home Inspector Challenge contestants are specifically asked to, “Develop a tool that would address security vulnerabilities caused by out-of-date software in IoT devices.” This the FTC’s fourth government contest under the America COMPETES Act, and the first one addressing IoT issues.
Submissions are due May 22, 2017 and winners will be announced on July 27, 2017. The web page provides further details about how judging will proceed.
Authors of the recent drone-enabled hack of Philips Hue lights recommend including the larger security community and academia to enhance IoT security. “We believe this will not be the last bug or attack found against ZLL [ZigBee Light Link] commissioning. While the vendor’s main design goal of ease of use is understandable, a better trade-off between usability and security must be made, and the security community and academia should be allowed to take part in the process.”
A Washington Post article last year described crowdsourcing cybersecurity as, “an idea so crazy it might just work.” This is part of the approach taken by Synack, a “crowd security intelligence” company founded by former NSA analysts. Synack combines humans and machine to tackle network vulnerability assessment. The human element is composed of the, “Synack Red Team (SRT),” a group of independent, expert security researchers who work globally to identify potential weaknesses. Leading Fortune 500 companies, the Department of Defense, and the IRS are among Synack’s clients.
Multifaceted Approach Needed for Cybersecurity
Cybersecurity think tank ICIT, The Institute for Critical Infrastructure Technology, published a report last month which analyzes the recent Mirai IoT botnet and provides suggestions for enhancing IoT cybersecurity. ICIT recommends a multifaceted approach, including legal regulations. When threats arise from multiple angles, a varied defense certainly makes sense, and the new FTC contest should be a positive addition.