As the "Internet of things" puts more and more products and devices online, cybersecurity risks threaten more than data. But in their eagerness to get technology-enabled devices to market, companies often neglect security, as demonstrated by hackers who have exposed vulnerabilities in cars, medical devices, and other products.Yet security researchers who, in an attempt to be helpful, discover vulnerabilities and tell companies about them can face lawsuits or even criminal prosecution for their trouble, said Andrea Matwyshyn, a law professor at the Wharton School and an advisor to the Federal Trade Commission. "Some companies view this information about a mistake in their product as an attack on the product and view it as more cost effective to legally silence the researcher," she told Risk & Compliance Journal in an interview.
Now a loose-knit group of security professionals, lawyers, regulators and others are coming together under the name "We Are the Cavalry" with the objective of reducing the health and safety risks that users inadvertently assume by using Internet-enabled products. Prof. Matwyshyn is an advisor to the group.
"If a company is building boilers and decides it wants to incorporate a capability so people can activate their heating system remotely, it is neat functionality but neat functionality is only half of the conversation. The other half has to involve: at what additional risk?" she said.
Nicholas J. Percoco, Vice President of Strategic Services at Rapid7, an IT security data and analytics company, cofounded We Are the Cavalry, which he said was launched last year at the hacker conference Defcon. "We originally thought of calling the group 'Nonymous'," he said in an interview. That would be a play on the hacker group "Anonymous", with the "A" deleted to show that this initiative was not secretive, but open.
Joshua Corman, the other co-founder, is chief technology officer of the cybersecurity firm Sonatype, and has blogged extensively on Anonymous. About 273 people are on the email list that serves as the loose organizational focus for the group, he said.
The two co-founders say that one objective of their group is to map what they call the "chain of influence" that will allow them to persuade manufacturers to secure devices.
Mr. Percoco outlined the scenario that often unfolds when hackers discover cybersecurity flaws in devices, and tell companies about them: "Typically the report falls on deaf ears, so the researcher gets frustrated and tells people about the problem, compounding the problem, because now more people know and consumers are now at greater risk."
Although software companies often have established procedures for dealing with reports of vulnerabilities, companies in other industries generally do not, so "The skills it takes to find flaws are different from the skills it takes to report to manufacturers," said Mr. Corman. Therefore the Cavalry aims to enlist not only security researchers, but academics, industry experts, legal advisors, and others. The priority focus area is products that present a danger to health or life.
Sometimes those dangers threaten children. Self-described We Are the Cavalry member Mark Stanislav, security evangelist for Duo Security, a vendor of two-factor authentication systems, focuses on bringing more security to products crowdfunded through such platforms as Kickstarter and Indigogo.
"What concerns us is teams of one or two people trying to bootstrap an entire company and get it to market but these people don't have security knowledge and don't have budget for pre-market security," Mr. Corman told Risk & Compliance Journal. In one case, he discovered a flaw in an Internet-enabled device marketed to children that allowed unauthorized users to get access to information that could put the children at risk. Through an initiative called BuildItSecure.ly ( sic) he is developing a program to provide nominal cash rewards to people who find similar flaws in other products, crowdfunding security itself.
George Washington University Law School professor Paul Rosesnzweig, who sometimes advises the Cavalry, expects the movement to grow. He said in an interview, "I predict [We Are the Cavalry] could easily be the nucleus for some white-hat standard-setting agency."