It is widely regarded as the next big thing, a major milestone in the internet’s evolution, triggering forecasts of a vast infrastructural setup of arrays, sensors and computer networks containing more than 8 billion devices by 2020 (Gartner) and market values ranging from $4 trillion to $11 trillion by 2025 (McKinsey). As big and lucrative as the internet of things (IoT) stands to be, so are the myriad challenges involved in ensuring it remains user-friendly. My focus here is on two of those challenges: highlighting the cybersecurity threat framework and explaining the role of AI-driven computational law applications (CLAI) to help achieve that objective.

Commentators tend to refer to cybersecurity threats in the IoT space as “new” but this is far from being accurate. Hacking, exfiltration, malware, patching failures, DDoS, ransomware; the security problems that plagued D-Link, ASUSTek and Dyn all predate the IoT emergence mile marker. Yes, the threats will evolve, just like anything else in technology. They will, undoubtedly, get faster, smarter, more difficult to detect. We will see evolved cyber weapons with a Stuxnet caliber; quantum computing powered attacks; ransomware with stronger encryption; attacks on blockchain; lightweight block cipher compromise, etc. These evolved threat tools will represent the “new normal” until they too will evolve in the technology lifecycle. But again, these threats are not “new.” They are merely evolving around the same destructive principles. The best practices to deal with them, be they from NIST, COBIT5, ISO, ISA or the FTC already exist.

Concomitant with this evolutionary process is the transformation of the threat surface. Simply put, the bad actors have a much more robust target environment to operate in, not only in terms of their opportunity to cause chaos and damage, but also as it relates to the quality of the data available; it is potentially more valuable than ever before. Throw in the (generally speaking) abysmal track record in dealing with already well known threat vectors, it is unlikely the success rate in dealing with the IoT threat landscape will fare any better. However, this is where CLAI can shine.

It is extremely challenging to fix the cybersecurity compliance gap. But using CLAI it may be relatively easier to minimize the threats by having educated users. The more educated a user is, the better he/she is, and a better user is one that can properly select the best-in-breed/safest IoT products. To count as an educated user, however, the user must be able to  make a well-informed decision before choosing  an IoT product or solution. The current challenge, of course, is that users never read the attendant terms and conditions that come with any products, let alone anything related to IoT. The result is that in today’s contracting environment, valid consent is (arguably) provided by a user, but that entire exercise is merely a check-the-box event aimed at the “we got consent” trophy. But the obtained consent is not meaningful because the user has no idea as to what they agreed to; none of this yielded an educated user. Instead, the purchase decision was merely the product of flashy seller marketing materials and, perhaps “recommendations” from unknown or friendly similar buyers.

CLAI can fill the important educational role as information brokers for users of IoT devices. They are not intended to teach users cybersecurity, but CLAIs can be used to signal to users which IoT products have, for example, unreasonable terms and conditions and/or poor safety settings that render particular IoT products relatively dangerous or otherwise undesirable from a cybersecurity perspective to use. When that happens, the CLAI will alert the user with a red flag or other simple-to-understand symbol. Similar in principle to what I described in the Maximizing Representative Efficacy: Part II post, a given score is the product of a learning algorithm that evaluates coded best practices (from the standards setting and enforcement organizations mentioned above), recommended terms and conditions (an agreed standard, delivered by, for example, the ALI) and, optionally, a user’s risk tolerance which would be rendered from, initially, a series of profiling questions presented to the user, but over time learned from the user’s actions.

Enforcement actions, stronger compliance efforts, better safety-by-design manufacturing principles, all of these will help minimize the IoT cybersecurity threats. Coupled with well-educated users who effectively leverage CLAI, the IoT cybersecurity environment stands to be not only robust, but, more importantly, user-friendly.

***Postscript***

10/11/20: Singapore’s Cybersecurity Labelling Scheme is “part of efforts to improve Internet of Things (IoT) security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace.” Such a scheme could serve as a CLAI data source, but it is important to highlight several key points in this regard (which by the way, apply to any similar scheme, not just Singapore’s). The first is that this scheme should be regarded as a data source and the device score still needs to be normalized; i.e., to maximize its informational veracity, other data sources for similar devices need to be evaluated by the CLAI. Second, it is reasonable to expect that labelling schemes will have varying reliability, both as it relates to their scoring mechanism and their overall track record (which is a function of time). This, in turn, dovetails with the third point: Transparency. The labelling scheme should be auditable so its scoring mechanism can be periodically scrutinized by the CLAI, which highlights the importance of adopting a uniform meta structure for such cybersecurity labelling schemes. Of course, application resiliency is also critical, which will enable the CLAI to overcome meta structural infirmities and other anomalies.

10/4/18: California’s SB-327 aims at improving the cybersecurity of IoT. Beginning January 1, 2020, the law requires IoT manufacturers to “equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.” SB-327 ties in with, and can be viewed as the genesis for requiring CLAI integration into IoT.

10/30/17: CLAI apps can also play an important role in securing VR, AR and MR environments. One such environment is Magic Leap. The enormous investment it has garnered so far (and there isn’t even a commercially available product at this point) hints at what promises to be a robust, widely popular platform for a wide array of applications. This, of course, also offers hackers an expanded cybersecurity threat surface, but CLAIs could help secure it from attacks.

7/18/17: The substance of the FTC’s public comment to the National Telecommunications & Information Administration’s (NTIA) draft guidance “Communicating IoT Device Security Update Capability to Improve Transparency for Customers” can be distilled into computer code. Together with other standards mentioned in this post, the best practices in this comment can help serve as quality markers for the CLAIs.