Internet of Things: Understand the risks
CAMBRIDGE, Md. — Some 5 billion machines and devices will be transmitting data across the Internet this year, a figure that’s expected to reach 25 billion by 2020, according to the latest Gartner forecast. Others, including Cisco, predict the total number of devices will be twice that many. Yet federal IT experts say the U.S. government is only just beginning to address issues surrounding how to manage and protect the data emanating from all these devices.
Chief among those issues are growing security and data privacy concerns. But questions also linger over the lack of data interoperability, how to decide who owns consumer data and the need to better assess the liability risks associated with machine-to-machine data collection, should things go wrong.
Indeed, there seemed to be more questions than answers about the potentially disruptive nature of the Internet of Things during discussions at the “Management of Change” forum Monday, sponsored by the American Council for Technology and Industry Advisory Council, or ACT-IAC.
Personal privacy issues are getting greater scrutiny with policymakers, especially as Congress decides whether to renew the USA Patriot Act surveillance law, said Mike Howell, deputy program manager for information sharing in the Office of the Director of National Intelligence. And that’s beginning to have an impact on the Internet of Things.
“There’s been, over the last decade, a lot of adoption of technologies — UAVs, automated license plate readers, body cameras, stingrays for cell phone operations. And [law enforcement agencies] are running into a common pattern we need to watch for with the Internet of Things … where they are losing lawsuits or potentially losing the ability to use some of these technologies,” Howell said.
That’s “because they don’t have the policy framework in place, and they don’t have the community outreach that explains what’s going to be done,” with the information these technologies are making available, he said.
One key stumbling block for policymakers in crafting such a framework lies in trying to apply the Privacy Act of 1974 to technologies that were beyond imagination 40 years ago, said Brian Nordmann, a senior arms control adviser for the State Department who is trying to use the Internet of Things to help monitor the movement of nuclear weapons. “I’ve spent more time with lawyers in the last year and a half on the Privacy Act than I have over my entire career,” he said, noting the ARPANET had barely been invented when the law was written.
Another challenge for organizations lies in identifying how much tolerance the public will have for sharing their information and being clear about their trade-offs
“In the energy markets, if somebody tells me I would save, without a doubt, 50 percent on my bill by just giving up some [information], I’d consider it,” said Sanjay Sardar, chief information officer of the Federal Energy Regulatory Commission.
Sardar added that machine-to-machine communications in the utility industry has been working successfully for decades. What’s changing is the ability to combine that with consumer technology and develop new market incentives. There are regulatory and privacy issues, he concedes, but “we look at it as an exciting opportunity.”
But policies guiding security practices and encouraging data interoperability are still in their infancy, said Sokwoo Rhee, associate director for cyber-physical systems at the National Institute of Standards and Technology.
Rhee said NIST is working with more than 250 organizations to address IoT issues. But companies are still finding their way in determining business models that profit for IoT data. Until they do, he said, it’s hard for NIST to develop industrywide standards for handling IoT data.
“[Return on investment] is important even for NIST. Without it, you can’t have standards,” he said.
In the meantime, Howell warned agencies and organizations of the importance of understanding the risks interconnectivity could carry.
“Do you understand your risks? We’re talking about a geometric increase in the number of endpoints on the networks connected to your networks,” he said.
He cited news stories circulating this week about a security researcher claiming to have hacked into an airplane’s thrust management computer through the plane’s in-flight entertainment system. “What would happen if someone hacked into the positive control system” designed to prevent accidents like last week’s Amtrak derailment in Philadelphia? he asked.
“Every one of these new extensions of connectivity is going to create new vulnerabilities. Are we ready to secure that?” Howell asked.
Howell also suggested five other questions organizations need to ask as they try to respond to the Internet of Things:
- What are you trying to accomplish? What’s the shared vision?
- Do you have the authority to do what you want to do? “You may need changes to the regulations and policies to do what you want to do,” he said.
- Do you have the capacity to do it? That means not only the capability, but also the governance and collaborative relationships to support it.
- Do you have effective customer relationship management, stakeholder engagement and outreach?
- Do you have a measure of success?
Speaking with FedScoop after his presentation, Howell pointed to a World Economic Forum report on the industrial Internet of Things, released in January. While the report highlighted the economic potential of the Internet of Things, it also noted that the control systems in a significant number of the world’s industrial operations were designed by engineers who have no training in cybersecurity.
The scale of concern is likely to grow as more of the world connects its machines and devices to the Internet.
According to a report released by the global trade group GSMA, 27 percent of all global machine-to-machine connections are in China, compared to 29 percent in Europe and 19 percent in the U.S. China’s government has reportedly committed to spending $603 billion for machine-to-machine connections through the end of this decade.
The response in setting data requirements, however, needs to be pragmatic, said Mike Echols, director of the Joint Program Management Office for Cybersecurity and Communications at the Homeland Security Department.
“We have to be careful that the requirements mean something and [are] not just a response to the demand for metrics,” he said.