The IoT clearly is not secure today; we have seen numerous incidents. The real question, though, is: will the IoT be secure in the future? It’s a loaded question, one that I hear often.
The honest answer is probably no. In the same way that life and the internet aren’t secure, the IoT won’t be secure. But as that’s not a very satisfactory response, let’s explore this further. What are the parameters of IoT security? How do these parameters interact and what can be concluded? Specifically, we’ll look at the cost of IoT security, how security changes over time and the scope of IoT security.
Let’s start from a cost/value perspective. The typical scenario is that everybody starts out wanting ‘the best’ security but that position usually softens quickly when it comes with a hefty price tag. Security follows the usual economic laws: the higher the security, the higher the cost. And cost includes not only the security measures themselves but also the convenience toll: multiple password entries, repeatedly requested, quickly expiring.
So what’s an acceptable cost? In accordance with typical economic laws, the cost of something should be in balance with its value. So the cost of the security measures should be in balance with the value of the item that’s secured and the risks associated with a security breach. Logically, then, the higher the value of something and/or the larger the risk of a security breach, the higher the price that someone should be willing to spend securing it.
Logical, yes — but it isn’t quite that simple. How do you determine the value in an IoT scenario? It’s a simpler question when asked about something that can be replaced with a single trip to a store but more difficult here. Ask a museum director for the value of a painting or a parent about the value of a child home alone. And what about evaluating the risk? Spend a few minutes reading about the continuing string of data security breaches and it quickly becomes clear that we’re underestimating the risk.
The second parameter is technological progress. Something that’s secure today can be broken tomorrow, and something that was out of reach in the past is solvable today. Over the last few decades, security has been in a race with hackers. System complexity and the lack of absolute end-to-end oversight also play a role. Systems today are becoming so complex that holes in security are easily introduced — and when they’re identified, those holes need to be rapidly patched. Some suggest that this increasing complexity, and the costs associated with it, are the largest risk for being able to build secure systems. In any case, the progress of technology at any given moment is an important factor in overall IoT security.
The scope of IoT security, the third and last parameter discussed here, is a tricky one. There’s no scope around security as a whole, no level playing field. Every security solution is an answer to a (possible) particular security breach and assumes that breach plays by certain rules, staying within that issue’s scope.
The problem, however, is that the only real rule is that there are no rules. Consider, for example, a house with a security system that calls a dispatch center when an alarm is triggered. When the power is down, the security system won’t work. Adding a battery backup would work unless the power is also down at the dispatch center. And even if the security system is working as expected, the truth is that the house still has windows that can be broken, with items grabbed and stolen before security personnel can arrive at the home.
In the case of wireless technology, all data going through the air is fully encrypted. But someone recording the encrypted data (like a username and password) and then replaying that data will gain access. No need for decrypting.
Or imagine that someone is listening to the Wi-Fi traffic of a house for a few days. Soon it would be easy to know when someone is in the home, or not. In other words, even with all of our secure Wi-Fi connections, we’re still essentially broadcasting information about if and when we’re at home.
Even these simple examples should give you a feel why security is such a challenging issue, internet security in particular. There’s no reason to think it will be any simpler with the IoT.
Technology progress and the ongoing redefinitions of scope create a dynamic situation that forces us to constantly revisit current security measures. We don’t know what’s coming next and we can’t see the whole range of threats looming on the horizon. So how can we possibly know that we’re secure?
Despite how it may sound, there’s no need to despair. We all live our daily lives making reasonable assessments of how to stay out of trouble. This applies to the IoT as well.
And what’s happening today in technology also comes with great new opportunities. The IoT will enable us to collect more data, to know more and to make better (more qualified) decisions faster. This new territory will improve the quality of our lives and create further prosperity. Of course, we do need to learn how to maneuver in this new world — and how to stay out of trouble. Progress isn’t free.