Five myths (debunked) about security and privacy for Internet of Things

IoT has the potential to enable improvements to so many facets of life, the list is endless. Its primary advancement is enabling the interconnectedness of “things” and resulting insights and synergies. Yet that same connectedness raises concerns for security and privacy that must be addressed.

1 2 3 Page 2
Page 2 of 3

Returning to the efficiency challenge, due to the expectation that with IoT unimaginable numbers of devices and systems will be connected, we need to become exponentially more efficient in security and privacy practices.

Vint Cerf, a “father of the Internet” and chief Internet evangelist at Google, spoke at the Brussels meeting, and he reviewed why he and his colleagues settled on 32-bit Internet Protocol (IP) addresses for the Internet. In a back-of-the-envelope calculation, they found that 2 billion to 4 billion IP addresses might eventually be needed, and 32-bit addresses seemed more than adequate. In future decades, we expect every person to potentially have hundreds or thousands of associated IP-addressed objects. So, orders of magnitude more complexity require orders of magnitude more efficiency. If we’re going to scale up to trillions of objects, even a penny an object is too expensive.

Myth #3: Cyber security today is a well-established, mature science that addresses most IoT concerns.

In testifying before Congress in 2012, I said: “The science of cyber security is still in its infancy.” The emphasis here should be on the term “science,” in terms of an evidence-based foundation for our concepts and practices. I also addressed this in my talk, “Realities & Dilemmas in Cyber Security & Privacy,” at Oxford University in December.

One area that needs to be explored: we don’t have good cyber-domain models of human, user behavior. What drives us to make good – or poor – security and privacy decisions? That’s critical, because humans are involved in every element of the IoT, including its design, implementation, operation, deployment, maintenance, use and decommissioning.

With humans so integral to the Internet and IoT, we’d better understand ourselves in a scientific fashion. We simply haven’t developed scientifically valid models. How do we model user behaviors? How do we model engineers’ thought processes when they create these systems? How do we model the institutions created by humans that will operate in an IoT world? How do we model an adversary’s mindset and behavior to protect such a potentially large attack surface?

The challenge here is that human behavior doesn’t have a closed form like math. Encryption, for instance, has a nice, neat, closed form, in terms of how it describes a problem and how it provides a solution. Science is a good way to deal with systems – like human behavior – that don’t have closed forms. I’m aware that astronaut and pilot behavior has been modeled to streamline spacecraft and jet controls. Digital advertising companies have done online human behavior monitoring for years, with some controversy over privacy issues. Biologists are modeling the behavior of cells. But in the broader, everyday realm of ordinary people, as they interact with IoT, we’ve only just begun.

1 2 3 Page 2
Page 2 of 3
8 pitfalls that undermine security program success