Cybersecurity & Tech

On Cybersecurity for the Internet of Things

Herb Lin
Saturday, January 31, 2015, 4:30 PM
On Tuesday, January 27, 2015, the Federal Trade Commission released a staff report on cybersecurity and the Internet of Things. Although as a staff report, the report has no binding authority on anyone, and the report merely stated that “commission staff encourages companies to consider adopting the best practices highlighted by workshop participants,” it was predictable that opposing voices were heard noting that exces

Published by The Lawfare Institute
in Cooperation With
Brookings

On Tuesday, January 27, 2015, the Federal Trade Commission released a staff report on cybersecurity and the Internet of Things. Although as a staff report, the report has no binding authority on anyone, and the report merely stated that “commission staff encourages companies to consider adopting the best practices highlighted by workshop participants,” it was predictable that opposing voices were heard noting that excessive regulation could smother innovation and scare customers away from a promising new technology. (See this, for example.) The best practices mentioned include building security into devices at the outset, rather than as an afterthought; training all employees about good security, and ensuring that security issues are addressed at the appropriate level of responsibility within the organization; using service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers; implementing a defense-in-depth approach to security; limiting the ability of unauthorized persons to access a consumer’s device, data, or even the consumer’s network; and monitor products throughout their life cycle and, to the extent feasible, patching known vulnerabilities. These practices are hardly radical—indeed, many vendors of IT-related goods and services practice them today.  But the resistance towards even a nonbinding staff report recommending things that vendors are doing today underscores a fundamental observation about cybersecurity in the United States—we’ve seen this play before. A discussion from a recent National Research Council report (of which I was an editor) provides the script for the first act:
In information technology (as in other fields), vendors have significant financial incentives to gain a first-mover or a first-to-market advantage.  For example, the vendor of a useful product or service that is first to market has a virtual monopoly on the offering, at least until a competitor comes along.  During this period, the vendor has the chance to establish relationships with customers and to build loyalty, making it more difficult for a competitor to establish itself.  Furthermore, customers of the initial product or service may well be reluctant to incur the costs of switching to a competitor. Policy actions that detract from the ability of the private sector to innovate are inherently suspect from this perspective, and in particular policy actions to promote greater attention to cybersecurity in the private sector often run up against concerns that these actions will reduce innovation.  The logic of reducing time to market for information technology products or services runs counter to enhancing security, which adds complexity, time, and cost in design and testing while being hard to value by customers.  For example, the real-world software development environment is not conducive to focusing on security from the outset.  Software developers often experience false starts, and many “first-try” artifacts are thrown away.  In this environment, it makes very little sense to invest up front in that kind of adherence unless such adherence is relatively inexpensive.
The fact of the matter is that as a nation we want better cybersecurity, yes, but we also want innovation as well.  And until someone explains how it is possible to bring to market more secure products in the same amount of time and for the same cost as today, we will be stuck with this tradeoff. After the first act is an interlude, in which people minimize the security risks and/or their significance.  “Why would anyone ever want to do that?” is the mantra of this interlude. The next real act comes when the technology is well on its way to widespread adoption because it makes life better for many people—and something bad happens as the result of a hacking incident.  The reaction will then take one of two forms: “that was a fluke and the precise set of circumstances enabling that hack won’t occur again” or “the technology is too widespread and thus it is too expensive or impractical to fix the root causes (e.g., a security-flawed design) of the problems, so we’ll just have to fix the problems as they come up.” The next interlude sees more and more evidence of security problems pile up even as the deployment of the flawed technology expands, and both sides argue themselves hoarse. And we have yet to know the third act, as no consensus on our national priorities—whether and how much we as a nation should be willing to pay for gains from more rapid innovation in the short term with costs incurred in the long term from lack of upfront attention to security—has yet emerged. I hear crickets.

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare