Managing Risk for the Internet of Things

February 17, 2016

New CSIS Report - Managing Risk for the Internet of Things: Executive Summary https://csis.org/publication/managing-risk-internet-things.

The majority of Internet “users” are machines, not people.  The devices that make up “the Internet of Things” (IoT) connect to the internet, take action, and create immense amounts of data. These devices will perform progressively more functions, creating new risks for safety and security, but we need more than anecdotes to assess risk and devise useful policies.  An initial conclusion about security and the Internet of things is that popular portrayal significantly exaggerates and misrepresents risk. 

·         The Internet of Things will be no more secure than the conventional Internet and may be more vulnerable, since many IoT devices will use simple computers with limited functionality.

·         Increased vulnerability, however, does not mean an increased risk. The benefits of IoT outweigh the potential for harm, and one risk usually not considered is that premature or overreaching measures for security or privacy will stifle economic growth and innovation.

·         IoT devices allow hackers to produce physical effects. Researchers have demonstrated many vulnerabilities in IoT devices, but the consequences of these vulnerabilities largely qualify as malicious pranks. Only IoT devices that perform sensitive functions or where disruption can produce mass effect will increase risk. This means most IoT devices pose little risk.

·         The state of online privacy is so dreadful it is unlikely that IoT will make it worse.

·         The same problems that keep us from making cyberspace more secure will slow progress in IoT security: technological uncertainty, limited international cooperation, lack of incentives for improvement, limited regulatory authority, weak online identities, and an Internet business model based on exploitation of personal data.

·         We can accelerate risk reduction with the same approaches we use for general cybersecurity: research, liability, international cooperation, and regulation. The White House could repeat its approach to critical infrastructure and task sector-specific agencies to work with companies to improve the security of IoT devices they use or sell.

·         Autonomy will be a key determinant for IoT risk. Limiting device autonomy or providing a way to override autonomy reduces risk. IoT standards should require a higher degree of human intervention and control for sensitive functions.

·         A secure device connecting to an unsecured network does little to reduce risk. Given the weak state of security on most networks, making IoT more secure requires better use of encryption, strong authentication, and increased resilience for both devices and networks.

·         We can use three metrics—the value of data, the criticality of a function, and scalability of failure—we can assess IoT risk. Devices that create valuable data, perform crucial functions, or can produce mass effect need to be held to higher standards. Those that do not can be left to market forces and the courts to correct.

·         Risk is dynamic. It decreases as technology matures and as familiarity and experience grow. As we gain experience with IoT, risk will decrease.