Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Five myths (debunked) about security and privacy for Internet of Things

Greg Shannon, PhD, chair, IEEE Cybersecurity Initiative, and chief scientist, CERT Division, Carnegie Mellon University Software Engineering Institute. | Jan. 27, 2015
IoT has the potential to enable improvements to so many facets of life, the list is endless. Its primary advancement is enabling the interconnectedness of “things” and resulting insights and synergies. Yet that same connectedness raises concerns for security and privacy that must be addressed.

Perhaps the biggest challenge I see with IoT is scale. We're going to deal with an IT infrastructure -- a networked infrastructure that connects countless entities, devices and systems. We've never fathomed that before. What are the dynamics, driven by scale? We've certainly seen the dynamics of scale evolve in the Internet, where value creation and threats morph over time as the Internet itself undergoes orders of magnitude of change.

With, say, 1,000 people on the Internet, we have one set of dynamics. With a million, it's a different set. When it's a billion or a trillion? We'll be stepping into a world we haven't experienced before, that we haven't engineered for. The Internet and computing technologies are really the only places where decade over decade we continue to see an order of magnitude change. What other domain becomes 10 times more efficient or 10 times more capable than it was the previous decade? IoT appears to be such an animal.

Myth #5: IoT cybersecurity is a challenge the private sector can meet alone.
The private sector will have to make its own decisions about security and privacy. Yet I'd expect the private sector to help facilitate an information exchange that contributes to the public good. Individual companies may not be motivated to care about the public good without guidance from public policy. We've done this in the United States, for instance, by creating the Federal Aviation Administration, the National Transportation Safety Board and other organizations that analyze events and promulgate rules to protect the public.

That said, I'm not in favor of security by decree. We need a more flexible model that allows secure information sharing for scientific, security event analysis, and access to the validated guidelines that emerge for avoiding future events. It's really about creating and routing that feedback signal of what's working and what's not working so that researchers, enterprises and users of IoT can make informed decisions.

Policymakers need to be well-informed about the issues and willing to devote a measure of our collective resources to meet this challenge. But top-down unvalidated rules in this environment haven't proven effective. Policymakers need to respond to public concerns on Internet and IoT security and privacy. How do we improve that conversation? These security and privacy concerns are affecting people today on a personal level, a business level and on a national-security level. There aren't many subjects that run that whole gamut. We're entering new territory.

I'd like to end on an optimistic yet speculative note. I'm sure there was a time 100 years ago when parents assumed that serious childhood illness were common and normal, there wasn't much you could do about it. Children would often die of polio, smallpox. Well, we beat those afflictions. I think there's evidence in other areas that circumstances can change pretty dramatically. They take time and focused effort. So I'll speculate that that will be the case with IoT security and privacy. We'll figure out how to cope with these challenges.

 

Previous Page  1  2  3  4 

Sign up for MIS Asia eNewsletters.