« Rescue an XP laptop: load Linux today
But will we see cyber listed as a feature in medical advertising? »

Equal Expectations for Equal (Non-Person) Entities

I don’t hate robots. I think that any new technology that tries to show up today has to be built with some by this time fairly obvious cyber defenses. This means, first, that the vendor has to get it that we might care. We the customers have a right to have an expectation of thorough well-tested well thought out technology solutions.

Especially if you’re gonna let that thing drive itself around my shopping mall. Or my parking lot. Or deliver drugs to the other end of my pharmaceuticals facility.

It’s 2017. You want to put a device on my network, operating within my risk responsibility, that’s mobile and at least partially outside my controlled perimeter. With credentials to access my security command center. And you want a purchase order for that?

Yeah, I expect the product to have some cyber awareness.

What’s that mean? For starters, we expect the vendor to have a clue. Hint: when someone asks you “what’s your cyber posture,” the WRONG answer is “we haven’t thought about that.” Next, we expect you to be aware of this “internet” thing. No, not the sexy graphics that lets you make your web site scroll down 8,000 swipes on the latest iPhone. I mean the common basic principles for operating a secure (and respected by search engines) web site to present your product. We expect your entire organization to think about doing things in a sound manner, that includes the marketing people (who represent your brand), the engineers, the QA people, the poor bastard who gets to refurb the wheel motor soaked in a shopping mall fish pond, all of you.

By the way, if you’re selling security gear there is a reasonable expectation you’d have a security attitude because, you know, your customers are likely to care more than average about security.

A robot is like any other “non-person entity” in the modern world. It needs to work, it needs to be sufficiently secured that some junior hacker in an army cyber sweatshop in China can’t compromise it to send spam, it needs to not help me get identified as the origin in the next Target-class enterprise compromise. It’s an NPE. We’re going to apply NPE rules.

(Shout-out to IPVM.COM. They don’t hate robots either.)

This entry was posted on Wednesday, September 6th, 2017 at 5:38 am and is filed under avoidable vulnerabilities, Physical Security Infrastructure. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.