Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Five myths (debunked) about security and privacy for Internet of Things

Greg Shannon, PhD, chair, IEEE Cybersecurity Initiative, and chief scientist, CERT Division, Carnegie Mellon University Software Engineering Institute. | Jan. 27, 2015
IoT has the potential to enable improvements to so many facets of life, the list is endless. Its primary advancement is enabling the interconnectedness of “things” and resulting insights and synergies. Yet that same connectedness raises concerns for security and privacy that must be addressed.

So this myth is a false dichotomy and that can lead to false choices. Taking a security "versus" privacy view doesn't allow the technical community to accurately describe the choices society has to explore as it determines practical levels of security and privacy. As we know from traditional IT concerns, we can have 100 percent security with no functionality. So a cost-effective, practical tradeoff must be found.

Myth #2: Existing IT security and privacy concepts and practices are sufficient to meet IoT challenges.
I'm originally a theoretician in computer science and, from a theoretical viewpoint, we know how to make things secure and private. But we don't know how to do that efficiently. Priorities always matter. Do we want to spend $1 billion to secure the local bookstore's website? No. Nuclear warheads? That sounds like a good investment and would be a decision for policymakers. If we desire greater security, the price curve can be pretty steep. In the private sector, an enterprise faces practical tradeoffs: do I want to pay for a security feature or a revenue-generating feature? It's not either/or, but there's a tradeoff.

Returning to the efficiency challenge, due to the expectation that with IoT unimaginable numbers of devices and systems will be connected, we need to become exponentially more efficient in security and privacy practices.

Vint Cerf, a "father of the Internet" and chief Internet evangelist at Google, spoke at the Brussels meeting, and he reviewed why he and his colleagues settled on 32-bit Internet Protocol (IP) addresses for the Internet. In a back-of-the-envelope calculation, they found that 2 billion to 4 billion IP addresses might eventually be needed, and 32-bit addresses seemed more than adequate. In future decades, we expect every person to potentially have hundreds or thousands of associated IP-addressed objects. So, orders of magnitude more complexity require orders of magnitude more efficiency. If we're going to scale up to trillions of objects, even a penny an object is too expensive.

Myth #3: Cyber security today is a well-established, mature science that addresses most IoT concerns.
In testifying before Congress in 2012, I said: "The science of cyber security is still in its infancy." The emphasis here should be on the term "science," in terms of an evidence-based foundation for our concepts and practices. I also addressed this in my talk, "Realities & Dilemmas in Cyber Security & Privacy," at Oxford University in December.

One area that needs to be explored: we don't have good cyber-domain models of human, user behavior. What drives us to make good -- or poor -- security and privacy decisions? That's critical, because humans are involved in every element of the IoT, including its design, implementation, operation, deployment, maintenance, use and decommissioning.

 

Previous Page  1  2  3  4  Next Page 

Sign up for MIS Asia eNewsletters.