Aligning cybersecurity incentives in an interconnected world
In the stop-motion animated short “Wallace & Gromit: The Wrong Trousers,” the protagonist Wallace’s alarm clock kicks off a Rube Goldberg-like chain of machines and devices that dress him and make him breakfast. The so-called “internet of things” is set to make this sort of fiction a reality. Connected homes, appliances and infrastructure have the potential to make us more productive. Today, you can set your alarm clock remotely and have it signal your coffee maker to start and the water heater to get your shower ready.
The term “internet of things” dates to 1999, when the founders of the Massachusetts Institute of Technology’s Auto-ID Labs began using it to describe a class of identification technologies used in automation processes. The actual technologies are significantly older. It’s believed the computer science department at Carnegie Mellon University programmed the first internet-connected device—a Coca-Cola vending machine—in the mid-1970s. As the story goes, the department installed microswitches to sense whether bottles were present in the machine, with that information relayed to a server that students could access from anywhere on the internet.
Though the term has been with us nearly two decades, there remains significant disagreement about what, precisely, the “internet of things” describes. Since its inception, it has been used alternatively to include or exclude various classes of connected objects. Key to its global spread was a 2005 report by the United Nations’ International Telecommunication Union that characterized the internet of things as “ubiquitous computing,” complete with machine-to-machine communication and real-time connectivity. In the United States, the Federal Trade Commission has adopted a definition that hinges on whether or not a given class of objects traditionally had embedded computing power; networked appliances and thermostats thus qualify as internet-of-things devices, but computers, tablets and smartphones do not. The management consultant McKinsey & Co. employs a definition that also excludes computers and smartphone apps, on grounds that they are designed to receive intentional human input. The Institute of Electrical and Electronics Engineers defined the internet of things as “a network of items—each embedded with sensors—which are connected to the internet.” The U.S. Commerce Department’s National Institute of Standards and Technology (NIST)—recognizing there is no universally agreed-upon definition—defines internet-of-things devices by the presence of certain behavioral features: a sensing function, an aggregating function, a communications channel and a decision trigger.
For the purposes of this paper, we use the term “internet of things” to refer to an array of connected objects with unique identifiers that have the ability to transfer data over a network. The internet of things consists of a variety of network-enabled physical objects, including appliances, objects using near-field communications, machine components, sensors, endpoints, wearables, computers and phones. That being said, we recognize that objects that are tagged with unique identifiers, but are not “smart,” in that they do not have the ability to both send and receive data, present less cybersecurity risk. Conflating these things into one category can be problematic. Our definition approximates the category of objects included in the internet-of-things issues that policymakers will likely face.
The internet of things holds promise for applications in the fields of transportation, infrastructure, agriculture, energy, manufacturing, health and communications, among others. McKinsey predicts that internet-of-things adoption worldwide could generate between $3.9 and $11.1 trillion per year by 2025, equivalent to up to 11 percent of the global economy. Internet-of-things devices can help monitor chronic conditions, such as diabetes. Smart homes made up of networked appliances can help to streamline routines and chores. Smart cities composed of networked infrastructure can smooth traffic flows and allocate energy more efficiently. Sensor-laden trash cans can signal when they need to be emptied, while sensors in bridges and roads can signal the need for repair.
For all the amazing potential of the internet of things to be realized, systems need to anticipate and design against vulnerabilities. The most common of these is a cyber-attack, a malicious attempt to access, damage or disrupt information or systems. To fend off potential attacks, internet-of-things devices and systems need to be equipped with appropriate cybersecurity defenses, which are designed to protect information systems from criminals, nation-states and unauthorized users.
Different aspects of connected devices pose different kinds and degrees of cybersecurity risk, with the internet-enabled features being the root source of most concerns. For example, there are privacy and surveillance implications associated with identifying technologies like RFID, as well as with “always-on” sensing capabilities.9 Devices that interact directly with the physical world or that have clear real-world consequences can result in safety issues, as was seen in the recent hacks of the Ukrainian power grid.10
Because of the nature of network effects, internet-of-things devices present a unique problem to the internet as a whole. When devices are connected, one device’s vulnerability becomes a problem for the entire network. This is not a new threat, as networked devices have been around since the 1960s. However, the scale of interconnection among today’s devices magnifies the consequences of insecurity. Common vulnerabilities include insecure network services, software and firmware; insecure security configurability and authentication, authorization and verification systems; and insecure cloud, mobile and web interfaces.
The insecurity of the internet of things has helped to create the equivalent of an active warzone. Compromised devices can be organized into “botnets” that are used to disrupt internet service broadly in what are known as distributed denial of service (DDoS) attacks. Large-scale internet outages due to denial of service attacks are increasing in number and frequency. Other types of internet-of-things-based attacks include physical attacks, reconnaissance attacks, access attacks and attacks on privacy, including data-mining, cyber espionage and eavesdropping, as well as tracking and password-based attacks.
A massive Oct. 21, 2016 cyber-attack rendered popular sites such as CNN, Twitter and Netflix inaccessible worldwide. That event prompted the U.S. House Committee on Energy and Commerce to convene hearings to understand the role of connected devices in the internet disruption. The outage was also at least partially responsible for the National Institute of Standards and Technology moving up the release date of the final draft of planned guidance to provide cybersecurity and mitigation resources for internet-of-things manufacturers.
The pace of effective cybersecurity protocols currently lags the speed with which internet-of-things systems are developing, but this does not always have to be the case. The risk of cyber-attack is becoming both more costly and more visible. Companies do not want the reputation or brand damage associated with selling insecure devices. As one recent example illustrates, the company responsible for the vulnerable webcams leveraged in the October 2016 Mirai botnet chose voluntarily to recall millions of devices. Insecure internet-of-things devices cause negative externalities, as one individual’s use of a vulnerable product can reduce the well-being of others within the network. Bruce Schneier—a fellow at Harvard University’s Berkman Klein Center for Internet & Society—is among the prominent voices calling for government to intervene to correct this “market failure.”
However, if we turn Schneier’s logic on its head, market failures can become market opportunities. In other words, the absence of security is an opportunity for entrepreneurs to sell secure internet-of-things devices, make security cheaper to implement and to broker information about device security. Users currently are largely unaware of the negative effects of their insecure devices and companies are often unaware of vulnerabilities in their devices. Such information asymmetries offer opportunities for strong private mechanisms to evolve. Third-party accreditation organizations, standards organizations and ratings bodies can provide information to consumers about their products’ security, just as the nonprofit Underwriters Laboratories certifies safe products with their “UL” mark.
Cyber insurance also can help the market to manage and transfer risk, and to internalize the negative externality through risk-based insurance premiums. Through the processes of cyber-insurance underwriting and ratemaking,manufacturers are offered incentives to become aware of vulnerabilities. So long as insurers remain free to craft new products and charge appropriate risk-based prices, and efforts are not made to displace private coverage with some kind of government “backstop,” the market for cyber insurance should continue to develop rapidly. The federal government could help encourage the burgeoning market by requiring that federal internet-of-things contractors use insurance or other risk-transfer mechanisms to take financial responsibility for cyber liabilities they may create for taxpayers.
Given the challenge posed by an insecure internet of things, policymakers must avoid the knee-jerk response to institute regulations that require certain prescribed device-security standards. Government is limited in its cybersecurity expertise and local knowledge, particularly given the complexity and speed of technological development, which make it impossible for lawmakers and regulators to know what type of requirements to impose. Because devices have unique functions, protocols and uses, one-size-fits-all regulation based on design standards would set inadequate or overly complex standards in stone, not to mention introducing compliance costs that could deter internet-of-things innovation. Overly prescriptive regulations also could limit companies’ flexibility to respond to issues as they arise.
Because of potential pitfalls in a federal regulatory approach to internet-of-things standards, identifying market-based solutions is critical. This paper explores two market-based mechanisms—cyber insurance and third-party accreditation—that could help secure the internet of things. It also examines the role policymakers can play in supporting broader adoption of cyber-insurance coverage.
Image by Den Rise
