Next week, I am presenting my paper, “Rise of the Intelligent Information Brokers: Role of Computational Law Applications in Administering the Dynamic Cybersecurity Threat Surface in IoT” at the University of Minnesota Law School IoT Symposium. (It will be published in the Minnesota Journal of Law, Science & Technology.) The paper explains the role that AI-enabled computational law applications can play in decreasing the cybersecurity risks of using IoT devices. Below are some of the points I will be discussing.

***

1. Despite the abundant, in many cases free, availability of cybersecurity best practices, the persistent failure to manage their effective execution challenges the realization of meaningful risk mitigation. One of the most significant root causes for a cybersecurity breach is user error.
2. The AI Risk Ratio = the greater computing power of AI integrated and used within an IoT device, the greater the probability that the specific device will be capable of generating, storing and transmitting higher-quality/value data, generating a greater probability that it will garner a higher target value score, leading to requiring stronger protections.
3. Threats to the confidentiality, integrity and availability of IoT-generated data can be effectively dealt with so long as users become markedly more educated about the IoT devices they use. Attaining this requires putting in place tools that enable users to make meaningful, optimal choices. At the device purchase stage, it means that these tools drive the decision to purchase a certain device, which means they are able to present the user with an efficient amount of information that enables substantive analysis in real time. During the post-purchase phase, continued use of the device reflects that these tools enable the user to remain systematically informed, and support the conclusion that the user has determined that the device meets or exceeds the necessary cybersecurity criteria on an on-going basis.
4. Augmented automation (NIST SP800-160 refers to it as “engineering-based solutions”) is necessary and artificial intelligence-powered computational law applications (CLAI) are the tool of choice, an essential part of the answer; they can make it possible to mitigate IoT cybersecurity threats, not just at the user level by generating more educated users, but also at the device manufacturer level.
5. CLAIs accomplish this goal by generating “action signals.” Action signals are distilled from the CLAI’s assessment of multiple reference points. An illustrative list of these includes: (a) existence of unfavorable terms and conditions (e.g., a poor warranty); (b) litigation frequency (manufacturer has a-greater-than certain amount of relevant litigation in any given year and/or has been the subject of enforcement actions by the FTC); (c) evaluation of conformance with privacy and security-by-design principles; (d) identification of compliance, or lack thereof with cybersecurity best practices and with FTC consent decrees; (e) manufacturer-issued security and privacy notices and (f) user’s risk tolerance profile (in sync with AI Risk Ratio). When any of these monitored parameters meets or exceeds a certain set threshold, the CLAI generates its score and alerts the user with an actionable signal, such as a red flag (at the most rudimentary level).