This week was the 6th National IT Summit in Germany. Like always, that’s where big speeches are made and little happens. The German BITKOM (Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V.), the IT and communications industry lobbyist association put the topic of smart networks (or grids) on the table. They requested initiatives (and money) to build such networks. That comes as no surprise, given that the smart world will require massive investments. So driving this forward makes sense.

However, the big problem to solve for this smart world – whatever it will look like – is security. I’d blogged about this quite a while ago, titled “Is an insecure smart planet really smart?” This question is not even still valid, it has become increasingly important. In Germany, there has been a large exercise – sort of a field exercise – just recently called LÜKEX. Many governmental organizations, police, and others are involved, this time upwards to 3,000 persons. In former years it has been about terrorist attacks with bombs and the like. This year it has been about CyberSecurity.

Networking the world requires a very well thought out approach on security. And it requires the willingess not to connect everything. The problem is that many of the initiatives around smart “whatevers” ignore this. There is a BITKOM presentation of mid 2011 which does not even mention security. Fortunately, BITKOM at least mentioned the need for security at the National IT Summit. Nevertheless it looks like the need is neither fully understood nor adequately prioritized. My perspective is that it has to be the priority number one for everything which is done around the smart world. Without security, nothing will be smart.

And even with well-thought security we have to be always aware that everything we network, especially including all the SCADA devices, will massively increase our security risks. So being not too smart might be smarter sometimes.

There are a lot of talks about making our planet smarter. Despite being far too much fiction, the film “Die Hard 4.0″ has been around some of the potential risks around this. I recently had a very interesting discussion with a forensic/incident expert from the US. We’ve discussed several issues and ended around the idea of this “smarter planet” and the “smart grid” as one of its most prominent elements. Per se, the idea of having a networked infrastructure in many areas, with a high degree of flexibility and increased service availability is as appealing as inevitable – things will go that path.

However the security of that future seems to be somewhat ignored, at least in the public discussion. For sure politicians aren’t interested in the dark site of things as long as the bright side is discussed. They don’t want to be the party poopers. Only if there is an incident, they will claim that they have done everything to avoid it and that everyone else is guilty but not them. Vendors, on the other hand, are mainly interested in driving things forward. Most of the for sure don’t ignore security – but it seems to be more sort of a pain than an opportunity.

Thus, we observe currently the same thing in big like we can see day by day in small: Security is ignored when driving things forward. That is true for a tremendous part of the software which is developed, it is true for new standards in IT (think about web services – security has been missing at the beginning), it is true for so many other areas. And now the same thing seems to happen for all these smart things. But, from my perspective, then these things aren’t really smart.

Just think about the smart grids. This is sort of a massive data retention mechanism, collecting and networking millions of households with the utilities. There are privacy threats – who has used which electric device when? There are new attack surfaces. For sure there are some things going on around security. But from what I observe, security is developing slower than the rest of the things in the smart planet initiatives. It’s sort of a ticking time bomb out there.

What will happen? Security is undervalued. For sure it isn’t ignored but it won’t have the relevance it should have in these projects. People will cheer when there are some results of projects delivered. Security will become a problem. There will be unpleasant discussion about who is guilty or not. Security issues will be patched. To some degree. Wouldn’t it be a better idea to built security into the concepts from scratch? To really have a smarter planet at some point of time?

Sorry for being the party pooper!