Internet of Things (IoT) holds great promise for a more intelligent, efficient, safe and even anticipatory means of human adaptation to the environment, be it natural or manmade.
IoT has the potential to enable improvements to so many facets of life, the list is endless. Its primary advancement is enabling the interconnectedness of “things” and resulting insights and synergies. Yet that same connectedness raises concerns for security and privacy that must be addressed. To advance the evolving discussion on IoT security and privacy, I cite five “myths.” Rather than accept them or dismiss them, I believe that they deserve careful consideration.
Myth # 1: More security means less privacy, and vice versa.
I participated in the IEEE Summit on Internet Governance in December 2014 in Brussels where some suggested that we’re dealing with security “versus” privacy. We’re not. We should address security “and” privacy. I believe IEEE provides a real service to the global community by promoting that approach. These two concepts go hand in hand. Technically, they have commonalities. They enhance each other.
In terms of similarities, both concepts are about confidence in the way things work. Whatever thing or process people are interacting with, they want to have confidence that that’s the thing or process they’re getting. People want confidence there’s not some nefarious agent – human or machine – that compromises their expectations about how a thing or process performs.
To contrast the two concepts, privacy is more about providing information into a system and not being personally harmed by doing so. Privacy stems more from an IoT user’s perspective. Security is about creating value and protecting that value. It’s often from the providers point of view but it can also be from the point of view of users, if they’re receiving value from a system in return for their participation. A smart meter on the home, which records energy use in a granular fashion, can provide value to user and provider – as long as the user’s privacy remains intact and the data on billing and system health remain secure for the provider.
Technically, security and privacy have commonalities. Both rely on encryption, for instance. Methodical design processes will help ensure their protection. And both suffer the same sorts of failures. Engineers who design software or systems without a sense of how adversaries think can overlook exploitable aspects of the design.
Similarly, because individual components of IoT will be parts of systems of systems, the original authors of a component may not consider the security and privacy implications as their component interacts with other components and systems. For instance, researchers have established – as has the Federal Food and Drug Administration (FDA) – that a number of personal medical devices (PMD) have encryption flaws, which threaten the security of the devices and the data they record and, in cases, transmit, as well as compromising the privacy of the individual using them.
So this myth is a false dichotomy and that can lead to false choices. Taking a security “versus” privacy view doesn’t allow the technical community to accurately describe the choices society has to explore as it determines practical levels of security and privacy. As we know from traditional IT concerns, we can have 100 percent security with no functionality. So a cost-effective, practical tradeoff must be found.
Myth #2: Existing IT security and privacy concepts and practices are sufficient to meet IoT challenges.
I’m originally a theoretician in computer science and, from a theoretical viewpoint, we know how to make things secure and private. But we don’t know how to do that efficiently. Priorities always matter. Do we want to spend $1 billion to secure the local bookstore’s website? No. Nuclear warheads? That sounds like a good investment and would be a decision for policymakers. If we desire greater security, the price curve can be pretty steep. In the private sector, an enterprise faces practical tradeoffs: do I want to pay for a security feature or a revenue-generating feature? It’s not either/or, but there’s a tradeoff.