The Gap between IoT Policy and IoT Reality

An increasing gap between IoT policy and IoT reality is forcing consumers, brands and governments to navigate extremely muddy waters.

From applications in smart cities to healthcare, from industrial use case to commercial, the Internet of Things (IoT) is emerging as a strong enabler of the As-a-Service Economy. But for all the opportunities arising from new sources of Accessible and Actionable Data, there are also new threats – well organized and fast paced — that require the implementation of Holistic Security throughout the industrial/commercial ecosystem.

HfS recently attended an IoT Policy Briefing at the DC-based Center for Policy on Emerging Technologies (C-PET), featuring Nigel Cameron (President and CEO of C-PET), Martin Apple (President Emeritus of the Council of Scientific Society Presidents), Daniel Caprio (Chairman of the Providence Group), Richard Cooper (VP of Research and Emerging Issues for the US Chamber of Commerce Foundation), Michael Nelson (Public Policy lead for Cloudflare), and Karen Rose (Senior Director for Policy and Research at The Internet Society).

We want to share an overview, and our comments, on this session.

Framing the IoT Discussion

Key Themes: The concepts behind IoT are far from new – massive sensor networks have been around for decades in energy and manufacturing. What is new is the low cost of today’s sensors and the ubiquity, reliability and low-cost performance of the hyper-connected Internet (and cellular/wifi access).

In the industrial sector, this has produced a wave of smart devices in areas such as manufacturing, transportation, and public utilities. In the consumer sector, we are witnesses the rise of mass-market products with (hidden/embedded) IoT.

While the US market has the largest revenue potential, the greatest benefit may be in emerging countries and economies where IoT is leveraged to provide first-in smart infrastructure.

HfS Position: The distance between industrial IoT (with a long history of sensor practices) and commercial IoT (with little historical foundation) is growing rapidly. The industrial/commercial IoT gap will increasingly muddy corporate & government IoT policy discussions.

The Internet of Threats

Key Themes: The phrase “threat multiplier” is heard often in the context of IoT. From an industrial perspective, many of the sensors now “online” are 10 to 20 years old, developed at a point when cyber security was not a concern. These devices both send data and receive commands, placing industrial operations at significant risk.

Many IoT-enabled commercial products are focused on immediate market value, with security either an afterthought or not possible (one speaker used the example of a common $.03 sensor – it has no security, it has no “on/off” – it merely captures/sends personal data).

Examples of a “market first, secure second” approach can be seen in recent hacks of vehicles (where security was lightly considered in the initial implementation) and in manufacturing/software companies launch a product and then offer/pay “hack rewards” to groups who identify zero day issues.

HfS Position: The rise of #massrisk scenarios in the industrial digital age will place a significant burden on enterprise security personnel who must be both elevated within the enterprise and empowered to ensure ecosystem security (of both the enterprise and the brand products/services). We expect corporate risks incurred to increasingly impact the ability of an enterprise to hire talent, borrow money, or secure adequate business insurance.

The Internet of Policies

Key Themes: It was accepted by participants, that there is a significant divide between the players in the digital economy and the policy makers in governments today. One theme that resonated involved the fear of over-reaction – new security breaches often result in hastily passed legislation, which often is either un-necessary or counter-productive, with one speaker asking government to take a “Do No Harm” approach to legislation.

HfS Position: HfS believes the “Do No Harm” approach should apply to the industry at large – enterprise brands must adopt an approach that follows “do no harm” to its ecosystem, backed up with corporate behavior that includes ethical considerations of the risk to business partners, employees, and consumers if its IoT strategy proves less than secure.