IoT Security Solutions for the Safety of Connected Homes Requires Collaboration and Innovation

Hello, everyone, and welcome to another episode of wavelength. On amphenol Broadband Solutions podcast. If you're tuning in to today's episode of the podcast, guess what? You're jumping into a part two. That's right. This is part two of two of a conversation with Thomas PACE, the CEO of Netrise. So if you missed part one, go ahead and jump back out, listen to part one, and then loop back around. But if you're here with us for a, continuation, of our conversation, then you know that we're gonna be talking about all things connected homes and the larger privacy and security needs of connected homes, as well as the network infrastructure that supports this growing ecosystem of connected IoT devices. So make sure that you're listening to part one. If you're already caught up with part one, then welcome to part two of our conversation. And let's go ahead and jump in. We're continuing our conversation again with Mister Thomas PACE, CEO of Netrise. If you had to offer your own, advice here, how do you think these various nodes of risk. Right? And users, device manufacturers, networks, etcetera. How should they collaborate more proactively to prevent tax and data breaches. Right? Because, I mean, a lot of responsibility often gets talked about as, an individual responsibility. Right? Device manufacturers need to hold themselves and their standards you know, to account. End users need to hold themselves and their standards for where they share their data, you know, to whatever that certain standard is and try to not cross it, etcetera. Mean, do you see any room for a little more, handshaking and, you know, not like kumbaya hand holding, but, like, Let's get this done hand holding to collaborate, across those various nodes, of risk. What do you think? I think that there is a massive opportunity for organizations to differentiate themselves from a, like, very advanced product security perspective. And I think organizations that choose to do that will have a market differentiable service or solution that they can provide. So You know, we we've we've looked at a significant amount of, like, telecommunications devices in the firmware of those things. And it's not great. So the reason I bring that up is the infrastructure providers I mean, imagine, like, and think about the buying power an AT and T or Verizon has. I mean, They can go back to anyone and say anything they want to. Right? Hey, we want a device that has zero vulnerabilities. First company do that, you win the contract. Like, they they can do that tomorrow. There's nothing stopping them from doing that. What what's what's stopping him, I think, is a a set of, you know, probably not great incentives that has been that has been laid bare. So, like, that that's the problem you have here in terms of unwinding it. Like, you can write down how to do it on a piece of paper. But then you look at the practical implementation of these things, and you you realize really fast. That the that the set of incentives that are actually driving the market are not the ones you would hope would be driving the market. You know, to intersect, the work that you're doing here a little bit more, for a move topics a bit. What role do you see third party security solutions and this idea of, instead of sort of device based security, more oversight and monitoring of device ecosystems in real time. What role do you see that playing in this security ecosystem? Break that down for us. I I see it playing a a massive role, obviously. It's kind of like who's watching the watchman role in in in in some respects, which is always a good thing. Right? I mean, just like the Department of Defense has watchdogs and other, you know, they have checks and balances of the, you know, the three branches of government. Right. There's always it always makes sense to have basically, another set of eyes on on these things. And so what I what I find is the kind of, harken back to the lack of visibility discussion. If if they're not gonna provide that visibility, fine. Like there are third other third parties who can and will. If you go all the way back to twenty some years ago, when I mean, Microsoft was the people making the operating system, but it took third parties to identify the vulnerabilities in that operating system. Right? So it's this is not a new it's not a new idea, in terms of, you know, leveraging third parties to provide you know, more positive outcomes here for even very large companies. It's really what's happened forever. We brought this up and kind of tease it out a little bit. The US cyber trust mark, don't wanna ask about that just yet. I wanna actually paint a more broad question here, but let's talk legislation, regulation, sort of the the public sector's role in all of this. What are your thoughts on current regulation and current, you know, legislation around privacy and security standards? Would you say that they're sufficient to protect consumer privacy in connected homes? Is that even, you know, is that even the right place to start? What are your thoughts on its role here in this ecosystem too and kinda where it's at? I mean, generally speaking, so you have to have Some some regulation is required. I I think I'm not a regulatory expert. But there are certain industries where if there was zero regulation, you're talking about just an a a real, not great state of affairs. So, however, I I think regulation does a does a real does a real number on competition. It generally makes the the opportunity for incumbents like, very positive. Right? Like, new players basically can't enter the space, for a number of reasons. And so I don't feel like that that typically yields a very positive, outcome for what is actually hoping to get accomplished. Right? Like, imagine waking up and being like, I'm gonna start a bank today. Do you know how impossible that is? It's impossible. It's totally impossible. Or you're saying, like, I wanna start a new telecommunications carrier today. Good luck. Like, it's not even it's like with it's like not even in the, like, it's out so far out of reality. And that's actually what makes a guy, in my opinion, like, like, the things that, like, Elon Musk does, like, so totally insane. Right? He's like, oh, I'm just gonna go create a American car company. Like, what? You you know, that that's that's the most impressive thing. Is that he's created these companies in insanely regulated industries, with a fair amount of success as well. So regulate it just creates this, set of circumstances where you have to spend more time navigating the regulatory situation than actually solving the problem. And that's that's my concern, about this. Conceptually, how could I not be in favor of, like, what's going you know what I mean? Like, having some minimum standard, having some set of set of roles, and objective measures that meet some legal framework, regulation, whatever. Like, conceptually, that's have to imagine that's a positive thing, but then I get concerned about every device manufacturer ending up in court. Which is just start going to stifle innovation. Right? Because people are gonna be like, I'm not gonna what's the point of me starting this company? I'm just gonna get sued, like, six months after I start the company because, like, I didn't do a perfect job on this thing. And that that is exactly what will happen. I mean, America is a pretty litigious place. And and there's a benefit to that. Right? The benefit to that is that companies behave themselves. Hear more than they do in other places. Right? I mean, you hear the you hear the horror stories about, you know, other nations building infrastructure for, like, the World Cup and Olympics. And there's let's just say there's no OSHA. Over in those countries. Right? And so it's like this weird balancing act where you need some, like, some minimum standard here. But where do you where where do you draw that line? And that becomes orders of magnitude more difficult when you talk about cyber security, which is an abstract thing. Right? It just is. Like, if you're saying like, hey, we wanna build it's like why they when they compare it to energy star, I'm I I don't agree with that analogy. Right? That's a very quantitative you know, fixed set of physics that is being applied to a thing. That that same set of criteria and measurement does not exist in cybersecurity. At least it has not been agreed upon by the industry at That's for sure. So I think it it talks about, again, how complex this ecosystem is, and especially when you're talking about something like cyber security where you know, the underlying technologies of all very quickly, new solutions come into play that kinda change up the whole dynamic of, managing cyber security of setting standards, of cybersecurity solutions themselves now posing new risks. I mean, when you talk about, like, AI and machine learning being now a core foundation of a lot of these solutions, that in and of itself Again, starts to keep that wheel turning, and, you know, I I'm with you. I agree that legislation regulation is is useful. And important, but it is also bureaucratic and moves at a rather snail pace. So it's not gonna be a leading metric of, you know, security standards. Likely, more collaborative approach is gonna need take place to identify what those strategies are. Regardless speaking of a a bare minimum here, the US is attempting to shore up some of its IoT security standards with the recent launch of its US cyber trust mark, which I know you're intimately familiar with, before the call started, you let me know that you're you're thinking about it daily, maybe too much. And so I wanna pull from your experience there. So again, for our audience, if you're unfamiliar, the US Cyber Trustmark is a cybersecurity labeling program specifically for IoT devices. So this program is created with the aim to help consumers make more informed decisions about the security of the IoT devices they purchase. So It's kinda like a USDA organic label, except for an IoT security laundry list, of, you know, various areas of risk. So the labeling system is gonna have a little shield logo on products that meet specific cybersecurity criteria. These are set by the NIST, the National Institute of Standards and Tech. So let's get your thoughts on some of these, How effective do you think the US cyber trust mark will be in enhancing IoT security for consumers? What are your thoughts on its approach and, effectiveness on paper? I don't know that consumers care. The ones that do will already be doing their homework. I don't think a sticker is going to move that needle for them. The big thing about the sticker is If I remember correctly, like you're basically saying, you're committing to supporting a given thing for some period of time. That you define. And you can say, never. We're never gonna support it. We're releasing it, and this is it, and there's no updates. And you can and then you get a sticker. Or you can say we're gonna support it for ten years. And then not supported at all. And then that's where you introduce this liability question for you. So I I have I just have a difficult time understanding why someone would sign themselves up for that. And that's not a technical conversation. Right? Like, you're gonna sit in a room with a general in the of a general council of a device manufacturer and say, listen, we're gonna sign ourselves up for this potentiality for liability or what do you think? I mean, listen, I don't have a law degree, but I think I can I think I can come up with what the answer might be? Just why? Why would you do it? I don't and there's there won't be a critical mass enough that will force everyone to do it either. Right? Because let's say Cisco. If Cisco doesn't have a shield sticker, do you think people are gonna stop buying Cisco? Of course not. They're still gonna buy it. It's not gonna matter. So you'll have this very small number of companies that might do it but I don't know. What's what's frustrating to me about even my answer is I want it to happen. Right? I just want it to make sense, and I want it to be widely adopted, and I want people to do the right thing. And I just don't know if that this is the course for that. A company probably wouldn't allow a label to go on their product that shows yet we met zero of the mark We are the least secure product on the market. I mean, at that point, it probably just wouldn't even participate in the cyber trust mark in the first place or and maybe this is the intended effect just having to you know, get the sticker on there and show that you did your bare minimum will sort of raise the floor of security standard. So now more companies will at least be doing a bare minimum, even if it doesn't, like, really resolve the issue. It's just kind of enough of an impetus to get them to do something. Or to improve their approach somewhat. Do you think on that front, it'll be useful or or, you know, it's strategically implemented correctly or even on that front, is it not really gonna achieve what, you know, it's setting out to do? What are your thoughts? It was all carrot? Maybe. It's carrot and stick. So you're gonna say you're gonna do these things, then if you don't, you've just in you've just introduced yet another opportunity for liability within your corporation. And that's just what companies don't want to incur. Right? What I would almost advocate for what I would almost say is saying that you're doing the things aligned with the cyber trust mark, but without getting it. Because now you're doing them, but you're not incurring the liability that comes with the sticker. Right? So I just I don't have any desire to get more litigious stuff going on in this country. I just don't. You know? And, you know, I am I've offered a lot of comments that will be made public, you know, depending on, I don't know how that all works with the agencies. But I've submitted all these opinions to, the agencies and commission that are putting this out. So It's it's it's I I I it's really frustrating because I'm talking to, like, the senior executive folks at these commissions and agencies it's like I'm talking out of both sides of my mouth the entire time kind of. You know? It's like, I I support this wholly conceptually. But then it's just like how does this actually happen? Right? So this thing could get past. It could be a whole thing. And then you could have a grand total of zero companies doing it. And it's like, so what did we accomplish? Yeah. You know what I mean? We just wasted a bunch of tax dollars and energy and effort for what. So I think there's better I think there's better ways. I think there's I think there's existing frameworks and policies and things like that. That we can use. And I also think that going after consumer products is really not the way I would start from a technology perspective. There's other markets that make sense to go out to consumer first. Right? Cause that's where the biggest buy is. News flash. Consumers are not the biggest buyers of technology, guys. They're not. Desu is the biggest buyer of technology. The US federal government. I was I was about to say, is it is it us? So it's like you have these agencies in in organizations. That literally are the biggest buyers, almost passing the buck's not the right word, but, you know, pushing it off. The consumer's the smallest buyer. By by a by a mile. Right? So if you wanna make a change and you wanna see where we can make this impact felt by whoever it is, device, whatever it is, you have the buying authority. You are the biggest buyer on planet earth. Don't ask the consumer to be the person that's like the who's delivering just doesn't I I think it's not placed in the right direction. You wanna do it on the big enterprise, if you wanna do it on corporations, that's fine too. Either way. Because then you mentioned this earlier too. It's actually a lot of the enterprise devices and the commercial and industrial devices in the first place that have the worst encryption and the highest amount of security risks. So it's interesting that all the focus then comes back to, you know, make sure your Amazon ring is safe. Now, I mean, obviously, that's important too, but, yeah, you know, the conversation seems to be honed in on only one small slice of the market when, you know, mass decision making and sort of mass standard setting feels like maybe that energy should be put elsewhere. So That is interesting to see that dynamic play out. Hopefully, there's some course correction on that front in the near future. Think about it. Right? If you're selling if you're Amazon and you're selling a ring camera, do you care what the consumer thinks about how you're like like, you don't care. Like, you're like, this is what I'm selling. And if you can buy it or not, you're selling into giant enterprises, that is not the dynamic. Right? They're like, it needs to work, and it needs to work this way, or we're not giving you money for it. And so that's created this, like, long tail of issues and problems over a very, very long time. Because corporations are just gonna be like, hey, leave this thing alone. It works. But it's like, yeah, that's true. It does work, but here are the pleather of problems. And then you start hearing people say really stupid things, like, but it'll never be connected to the internet. It's just like, okay. How how could you even make that statement? It's such an insane statement. It's like maybe it's not supposed to be connected to the internet, and that's fine. But the fact that you design something because it's not supposed to be connected to the internet. Like, what? Like, yeah. Like, we built cars And like they're not supposed to hit other cars, but guess what? They do. So we were like, maybe we should put, like, airbags in here and, like, seat belts and stuff and have, like, some minimum level of engineering that exists. So if a car hits a wall, it doesn't just, like, explode. Right? Maybe like You you don't design things for how they're always supposed to be. That's not how anyone designs anything. So it's just kind of a really crazy, set of expectations that's been, like, put out there by people. It just doesn't align with really any other place in I wanna pivot a little bit here. I wanna talk networks now as we start to wrap up the conversation. You know, I'm curious the role that you see the networks themselves playing in this security conversation, especially when we see such a variety of approaches. I mean, there's obviously always fiber networks. They're touted for high speed, low latency, and also, like, generally being secure. But I'm curious how they measure up compared to, like, other I mean, other basic networks, non fiber based networks, or even more proprietary IoT networks, like Amazon sidewalk, right, which is probably the most high profile iteration. We also see in industrial settings more sort of private IoT networks that are more just for OT needs. Right? They're not giant, you know, you're connecting all of your devices to also the company WiFi They're a little more isolated. Of these approaches, what are your thoughts on their general efficacy and, their security measures and standards? With fiber, you just have like a physics problem. I mean, tapping into fiber lines is hard. Right, tapping into copper lines is not. I mean, so so that's that just makes that like one of those things is harder than the other thing. Tapping into wireless networks is easy. Tapping into physical networks is harder. So that's just reality. Right? Whenever people wanna talk about how this wireless technology is like more sec like, it just can't be true. If I can go outside with an antenna and pick up what's going on on that network, and I and then I go next door, and that that network is only has a communication channel that is physical. The level of effort for me to gain access to the data on one network versus the other one is just very, very different. And that's not, like, really, it's not really There's not really much of a debate that we had there. At least not right now. So You know, I I I think that's kind of like a a a a pretty straightforward thing. And with that argument in mind, would that same logic apply to the spread of wireless networks. Right? So the more private, the more contained, the more sort of, you know, an isolated network for just these ecosystems, the safer it is? I mean, is it always that one to one? I mean, having dedicated networks that had some thought go into them before deploying them, I think, is always a benefit. Right? If you only expect these kinds of devices, to operate on this kind of network and you design it as such, and you don't, like, you know, you do things like white listing of Mac addresses to allow. I mean, there's ways to beat all of these things. Like, you know, you're not broadcasting, networks, you're using very, very strong encryption, you're segmenting things properly, etcetera. I mean, Yeah. That's better than just having a network that's wide open and anybody can join and do whatever they want on. Now there's just always this cost benefit. If you're gonna do that, then that's gonna be more to manage, more to maintain, more to administrate. Right? You're getting you're now making networks more complicated and complex, as a as a result. So Yeah. Now now there's no avoiding it, by the way. Like, that this is going to be the environment that we operate in moving forward. Right? Are these massive wireless network that are probably going to be mesh networks, especially with the advent of five g, and the massive, no density that is going to be required to push out five g in a real meaningful way, which to call disappointing, I think would be maybe the biggest technological understatement ever. Like, but once again, this is what happens when you have unimaginably regulated industries like telecom, like the five g, you know, goals are just a total joke. Like, to talk about something that has not come to fruition. Oh my god. We've had a five g technology for one a decade now. And it's, like, barely deployed. Alright. You have these carrier you have cell phone carriers putting five g like, little emblems on everybody's phones when it's really just four g, like, being totally maxed out. So, you know. Oh, to start to wrap up the conversation, let's get to a place of, some actionable advice for our audience here. So, we started by chatting on connected homes. Let's kind of circle back around there. Right? You know, I think you painted an accurate picture. When we're talking about connected homes, most consumers are looking for a plug and play option. Most consumers are not the most. You know, security ecosystem savvy. You know, even the idea of choosing which cookies you wanna allow on a site and it shows you, thirty cookie options. Most people are just gonna hit accept all or just the necessary ones, whatever that means, you know, which ones are necessary. So There's a lot of education on the market to do. Right? And there's a lot of Yeah. There's there's a lot of education to do for the market. Now with that in mind, what are some proactive steps that you think homeowners, or really anyone dealing with sort of, consumer level IoT devices, what kind of steps can they be taking to help secure their data, their networks, and really these IoT devices against unwanted breaches and hack any strategies or technologies that you recommend, are added to that approach? I mean, keep all your stuff updated as much as you possibly can. Whenever you're designing your wireless network, use the best encryption protocols that are available, which is like WPA two, I think, is still, like, the latest and greatest or whatever, even though it's been proven to be not foolproof. Use a very long password. You know, length over complexity is always the the the benefit. I was gonna give you the best bang for your buck rather. If you have devices that have default credentials on them, change them. Admin admin is not good. So if you do those three things, you have just made like the barrier to entry much much more difficult. Attackers are typically going after low hanging fruit. Especially as it relates to, like, botnets on consumer devices. Like, you are not a target. Sorry. Because let me tell you if you were, all three of those recommendations I gave you will be totally useless. And they're going to get you. Period. That's that's it. All you're really doing here by taking these actions is making sure you're not a piece of low hanging fruit. That's it. If a nation state wants you, I don't know what to tell you, man. You're you're you're cooked. That's it. But I'll try to stay off, you know, nationally registered, radars then for that, for that reason, good call. Now would that advice then apply, like, would you give the same strategy and the same advice to businesses you know, commercial entities, industrial entities that are looking to secure and shore up their own devices as well. No. I mean, I mean, yeah, like, at a high level. Like, yeah, keep your things updated. Use good passwords. Like, yeah. Sure. But here's the other thing large enterprises have. Third party risk management programs, procurement, buying power. They have significantly more tools in their toolbox that they can use. To drive this thing forward. Right? And I think that is what's going to be required in in in some ways to push back on some of the device manufacturers is when the buyers and end users of the devices are like, Hey, we've identified a handful of problems here. And we want them fixed. And if you don't fix them, then we're just not going to pay you any money. Or we're gonna go find someone who will. So a consumer does not have that same capability. Sorry. They just don't. You know, you can go write a blog post, I guess, or reach out to your congressman, like, okay. Let me know how that works out for you. Yeah, Google has a lobbying firm that's has a GDP higher than probably most countries. I don't I don't think that, you know, you reaching out to your local congressman about the insecurity of your nest camera is gonna move the needle real far. But and that's just the state of affairs that that that we're in. So because that's what happens. Right? We say, Hey, we're gonna give the consumer the ability to sue. Okay. Congratulations. All these companies have now hired massive lobbying firms to fight that very notion. So now we've just, like, created this you know, dynamic where a bunch of people are just like trading dollars and nothing's actually happening. I think that's a great place to end it in really just that a lot of the change that we'd like to see around security measures is likely gonna take a little muscling, you know, various parties with whether it's a lot of clout and influence over the process or let's be honest with fat pocket books are probably gonna be the ones that are going to make the biggest changes in the short term, and so any kind of unified action on that front kind of collaboration between entities that hold a lot of, you know, a lot of power in determining market forces are probably gonna have a lot of influence in these stages of, connected device security standards. But I am curious to see how something like a cyber trust mark plays out you know, if it does end up changing the tune of how people engage with buying their products. It's one of those things, you know, to be hopeful about, but I I I definitely take what you say, you know, as I I think a likely outcome which is that, you know, consumers, it takes a lot to sort of change buying habits once you get comfortable with just kinda picking up the thing that works and plugging it in, and it gives you all the cool features. We're all victims of it in some form or fashion, you know, so It's, yeah, it's definitely an interesting dynamic to keep an eye on, but I think on that front, we'll go ahead and wrap things up for our conversation today. So Thank you so much. Thomas PACE, CEO, and NetRise, for your perspectives today, your insights and analysis. This has been really, really actionable. I've learned a lot, and I know our audience definitely has. We've touched on so many different slices of this pie. If folks want to get in touch with you to further pick your brain, or maybe they're interested in MetRise as part of their ecosystem. How can they get in touch? How can they learn more? I mean, I'm on I'm on LinkedIn and Twitter and things like that. Go go to our website. We have a contact us page where you can fill out. It automatically sends a notification to, like, an entire team internally. So as soon as people reach out, like, we get back to you, like, super fast. Doesn't go into, like, some contact us, black hole. So that's probably the easier way. Shoot me or anyone else on my team a message on on LinkedIn. That'd be, you know, we're very, very easy to get a hold of. And we get back to people very quickly, like, typically within minutes, once something comes across the wire, unless it's, like, AM on a Saturday or something like that. Perfect. Easy enough. Thomas PACE. Thank you so much for your perspectives today. It's been a treat. Thank you, sir. Appreciate it. And thank you everyone for joining us another episode of wave lengths, an amphenol Broadband solutions podcast. If you like what you heard and saw today and you want to make sure you don't miss out on future episodes, or you wanna catch up on all of our previous thought leadership conversations. Make sure you head to our website, amphenol broadband dot com. Again, that's amphenol broadband dot com, and make sure that you're subscribing on Apple Podcasts and Spotify. I'm your host Daniel Litwin, the voice of b to b. We'll catch you on the next episode of wavelengths.