Rise of the Intelligent Information Brokers: Role of Computational Law Applications in Administering the Dynamic Cybersecurity Threat Surface in IoT

It is widely regarded as the next big thing, a major milestone in the internet’s evolution, triggering forecasts of a vast infrastructural setup of arrays, sensors and computer networks containing more than 8 billion devices by 2020 (Gartner) and market values ranging from $4 trillion to $11 trillion by 2025 (McKinsey). As big and lucrative as the internet of things (IoT) stands to be, so are the myriad challenges involved in ensuring it remains user-friendly. My focus here is on two of those challenges: highlighting the cybersecurity threat framework and explaining the role of AI-driven computational law applications (CLAI) to help achieve that objective.

Commentators tend to refer to cybersecurity threats in the IoT space as “new” but this is far from being accurate. Hacking, exfiltration, malware, patching failures, DDoS, ransomware; the security problems that plagued D-Link, ASUSTek and Dyn all predate the IoT emergence mile marker. Yes, the threats will evolve, just like anything else in technology. They will, undoubtedly, get faster, smarter, more difficult to detect. We will see evolved cyber weapons with a Stuxnet caliber; quantum computing powered attacks; ransomware with stronger encryption; attacks on blockchain; lightweight block cipher compromise, etc. These evolved threat tools will represent the “new normal” until they too will evolve in the technology lifecycle. But again, these threats are not “new.” They are merely evolving around the same destructive principles. The best practices to deal with them, be they from NIST, COBIT5, ISO, ISA or the FTC already exist.

Concomitant with this evolutionary process is the transformation of the threat surface. Simply put, the bad actors have a much more robust target environment to operate in, not only in terms of their opportunity to cause chaos and damage, but also as it relates to the quality of the data available; it is potentially more valuable than ever before. Throw in the (generally speaking) abysmal track record in dealing with already well known threat vectors, it is unlikely the success rate in dealing with the IoT threat landscape will fare any better. However, this is where CLAI can shine.

It is extremely challenging to fix the cybersecurity compliance gap. But using CLAI it may be relatively easier to minimize the threats by having educated users. The more educated a user is, the better he/she is, and a better user is one that can properly select the best-in-breed/safest IoT products To count as an educated user, however, the user must be able to  make a well-informed decision before choosing  an IoT product or solution. The current challenge, of course, is that users never read the attendant terms and conditions that come with any products, let alone anything related to IoT. The result is that in today’s contracting environment, valid consent is (arguably) provided by a user, but that entire exercise is merely a check-the-box event aimed at the “we got consent” trophy. But the obtained consent is not meaningful because the user has no idea as to what they agreed to; none of this yielded an educated user. Instead, the purchase decision was merely the product of flashy seller marketing materials and, perhaps “recommendations” from unknown or friendly similar buyers.

CLAI can fill the important educational role as information brokers for users of IoT devices. They are not intended to teach users cybersecurity, but CLAIs can be used to signal to users which IoT products have, for example, unreasonable terms and conditions and/or poor safety settings that render particular IoT products relatively dangerous or otherwise undesirable from a cybersecurity perspective to use. When that happens, the CLAI will alert the user with a red flag or other simple-to-understand symbol. Similar in principle to what I described in the Maximizing Representative Efficacy: Part II post, a given score is the product of a learning algorithm that evaluates coded best practices (from the standards setting and enforcement organizations mentioned above), recommended terms and conditions (an agreed standard, delivered by, for example, the ALI) and, optionally, a user’s risk tolerance which would be rendered from, initially, a series of profiling questions presented to the user, but over time learned from the user’s actions.

Enforcement actions, stronger compliance efforts, better safety-by-design manufacturing principles, all of these will help minimize the IoT cybersecurity threats. Coupled with well-educated users who effectively leverage CLAI, the IoT cybersecurity environment stands to be not only robust, but, more importantly, user-friendly.

***

Update 7/18/17: The substance of the FTC’s public comment to the National Telecommunications & Information Administration’s (NTIA) draft guidance “Communicating IoT Device Security Update Capability to Improve Transparency for Customers” can be distilled into computer code. Together with other standards mentioned in this post, the best practices in this comment can help serve as quality markers for the CLAIs.