Smart phones, smart cars, smart cities: The Internet of Things has changed the working landscape of most places on earth in a short time. However, in this transformative decade we have learned that every innovation provides an equal level of re-engineered threat. From heart pacemakers to energy utilities to submarines to nuclear reactors – the list goes on. How do we protect these devices? Are there industry, international standards for security? Who is responsible? Who is accountable?
In this week’s deep dive, we ask four area experts to give us their views on how best to “grow” the IoT while ensuring its protection. We interviewed Ahmed Banafa, Engineering Professor at San Jose State University; Brian Russell, Chief Engineer Security Solutions, Leidos; Captain (Dr) Simon Reay Atkinson, University of Sydney and Royal Australian Navy Reserve and William Dutton, Professor of Media and Information Policy at the Ouello Center, Michigan State University, in order to grasp the complexity of the issue.
Captain Reay Atkinson noted that “there is still an emphasis on control and EW as opposed to socio-IT, socio-ethics and capacity. The question is not our capability or the ability of individual thinkers. It is about capacity and bringing IoT effects to bear over the network within the nexus defined between cyber and big data; and privacy and security.” Although in cybersecurity circles, one usually hears about the problems associated with IoT one cannot ignore the immense possibility which lies within it. Professor Dutton called it “the next stage of the Internet’s development” and emphasized that the IoT will “connect devices that can operate in systems with the aid of intelligent agents and Artificial Intelligence (AI), and people.” Similarly, Brian Russell emphasized that “the IoT generates massive amounts of data. That data provides insight into a range of business areas: ways to optimize manufacturing processes; better understanding of customer behaviors and desires; etc – in the end, businesses are aiming for a competitive advantage. Individuals are influenced by the capabilities offered by the IoT – for example, conveniences in the home through connectivity and automation. Governments are influenced by data as well- and they use IoT-generated data to better manage spending and better serve their constituents.” However, the full scale of changes which it will cause we cannot possibly foresee yet.
Immediate Security Challenges
This stands for the negative aspects as well. In one of his articles, Professor Banafa highlighted five distinct challenges which IoT faces: security; privacy issues; inter-operability standard issues; legal, regulatory and rights issues; emerging economy and development issues. As we can see, only one of these challenges is purely technical. Similarly, Professor Dutton also highlighted privacy as a primary concern, adding that the risk of system failures is also increasing. “Systems failures worry me because the IoT will permit us to build ever more highly coupled systems, which will likely be more fragile as problems in one component will ricochet through the network in ways to create more and more severe system failures” he explains. He also added that in the case of IoT, the context in which it is employed is crucial to understand the specific challenges. “For example, consider the social implications of the IoT in an environmental application, such as monitoring pollution in a river in real time, versus in a medical care situation, monitoring a person’s heart” These examples demonstrate that each of these will have to be tackled in a different manner. As a result of its multifaceted usage, concerns about IoT will not be able to be tackled with one brilliant leap.
Professor Ahmed Banafa named three sectors in which IoT challenges have to be overcome: technology, business and society. These have to be tackled individually. In his article, Professor Banafa analyses the different issues which arise in these three areas and the possible answers which can be given to them. The illustration shows that the social and legal aspects of this issue are already extremely complex, while in another article he discusses the technical aspect of IoT standardization. Captain Reay Atkinson told us that he sees the future of cybersecurity in “connecting the outside with the in” and in the realms of “Quantum AI (QAI).” He added that “the answer is not in controlling more but engaging more the banks, the network city-states, etc.”
A Policy, Technology Issue
Brian Russell agreed: “Countering the negative effects of IoT is both a policy and a technology issue” he argued. “On the policy side, it is critical that legislation is introduced to safeguard health critical and safety-critical systems. On the technology front, there is a substantial need for new Research and Development (R&D) to understand how our existing security technologies can be extended to secure the new era of connectivity across the IoT. Today’s monitoring solutions don’t hold up, neither do today’s authentication and authorization methods.” Professor Dutton emphasized a similarly multidisciplinary answer to be given to the issues arising from IoT. “It will involve huge financial investments, social and cultural change as well as training and education, in addition to new law and policy and advances in technology” he explains but adds that while technology is cutting-edge, the other domains are much slower in catching up to the incredible speed of technological development. Captain Reay Atkinson supported this claim, explaining that the “the emphasis remains on the IT driving the socio and capability driven strategy. In other words: no thinking or strategy.”
Professor Dutton added that premature policy initiatives can actually have a negative effect. “Security is already enshrined in law and policy. Rather than policy solving security issues, policy initiatives are likely to be premature and inappropriate, and stifle the innovations in technology and practice that could protect privacy and security.”
Building Public Understanding, Investing in Assurance and Trusted Systems
In combatting the issues described above, every individual must take part. Professor Dutton underlined this: “The most important step forward might be more public understanding of the IoT and AI. The public – everyone – and not just early users of the IoT, as everyone will be impacted, need to understand the technology, its applications, and societal implications. At present, discussions of the IoT befuddles most educated people, so much work needs to be done.” Captain Reay Atkinson explained a similarly critical approach to individual and business security. “Their security is built in investing in assurance and systems that can be trusted. This is what the banks like CBA have done where they have recognised that their security is their customers and vice versa – hence it is socio-ethical. This is a social investment issue which should be good for democracies. You cannot defend at the wall and have to go beyond. Today you have to assume the enemy is also already behind the wall…”
The International Cybersecurity Dialogue was created to promote a better working relationship between the policy and technology communities in government, business and academe. Our weekly ICD Brief and these deep dives are part of this program. If you are interested in our previous articles, read it here and subscribe to our weekly cybersecurity brief here.