Juels: It’s very hard to predict how complex an ecosystem will be. I remember at one point trying to design an authentication application for mobile devices around 2005, and the project was essentially scuttled because there were hundreds of devices and hundreds of operating systems so designing a universal authentication app was not going to be feasible. A couple of years later, of course, the landscape changed fundamentally. So it’s very difficult to predict where and when complexity will strike and how it will be resolved.
Will these security challenges impede the emergence of IoT?
Juels: One possible impediment is going to be the drama surrounding failures of IoT security. We’re willing to tolerate 30,000-plus fatalities a year on U.S. roads. How many fatalities due to software failures in autonomous vehicles are we willing to tolerate? Probably many fewer because of the psychological barrier of ceding control to machines. That’s an interesting phenomenon of IoT devices that we don’t see in other realms of computing.
That’s an interesting way of putting it. Other thoughts on that?
Mattes: I don’t think we’re going to be able to slow this down. It’s happening already. People are finding compelling business reasons to do IoT and they’re going to do IoT whether IT lets them or not.
Tague: I agree. There’s nothing we can do to stop this. It’s already providing some value and that value is likely to outweigh all but the most catastrophic developments. I do think that a certain amount of regulation is going to become necessary, especially given things like those autonomous vehicles, and my prediction is there will be a lot more regulation of IoT once we have our first major software-based real world disaster.
Blackmer: I’m with everybody else on this one. The bus has already pulled out of the station and security is running behind it. As long as there’s a value to business, if it helps make things more efficient, it’s going to happen. So from a security perspective we need to realize it’s going to happen with or without us and try as hard as we can to secure it while it’s moving forward, because it certainly isn’t going to stop.
Let’s finish with a question about timing. How long before we get a better handle on IoT security and data privacy?
Tague: It is hard to put a number on but I would put it in the five year category.
Juels: I’m very pessimistic about consumer control of personal data. The landscape is just too complicated. People can barely figure out how their Facebook privacy settings work, let alone how the privacy settings work on all of the devices in their home and how they’re going to auction off the data that emanates from these devices. It will be unmanageable for consumers, and regulation will probably lag behind reality as it typically does.
Mattes: Even if we can converge in the next five to 10 years on a majority of systems behaving well, there’s always going to be outliers and there’s always going to be black swans that reshape the way we look at this stuff. But progress marches forward and we’re all in the band.
This story, "The security implications of IoT: A roundtable discussion with four experts" was originally published by Network World.