Have you updated your “smart toaster” recently? To ensure you don’t get hacked or your toaster isn’t recruited for some malicious deed, this might be a good idea. Do it now! As Scott J. Shackelford of the University of Indiana argues in his book The Internet of Things: What everyone needs to know: “We are just at the beginning of governing AI with cybersecurity in mind, including in the Internet of Things context.” The What Everyone Needs to Know® series from Oxford University Press is an excellent resource for the general public written in plain accessible language by experts. What follows is an interview with Scott:
We used to just have things with computers inside them, but now we have computers with things attached. Can you explain why this matters?
SS: The Internet of Things (IoT) has, in many ways, become the Internet of Everything (IoE). It’s now getting to the point that we must try hard, and sometimes pay a premium, to find consumer devices that aren’t smart. This extends across a broad range of product classifications and sectors, including cars, which have become little more than sleek smartphones on wheels. This revolution is having a range of consequences, from making it harder to repair everyday devices if you don’t have a background in coding, to dramatically increasing the attack surface that adversaries can potentially take advantage of in future conflicts. No nation, or at this point individual, is an island in cyberspace, however much some wish they were.
The explosion in Internet-connected stuff has been driven by three forces in particular. First, costs are plummeting. Consider that in 2004, the average price of an IoT sensor was $1.30; by 2018, it had dropped to 44¢, and has continued to fall. Second, connection speeds are increasing, and 5G (soon enough 6G) availability means that more devices than ever before can be connected together in an ever smaller geographic footprint. Third, companies can now offer a wider range of IoT-related services than ever before, from navigation and on-demand product delivery to health and wellbeing services, further driving demand.
In the internet of things, what types of things should the public be most concerned about?
SS: For consumers, it’s been very tough – even for those who care about their privacy, and their family’s security – to know how to shop for products that will be good stewards of their data. From smart speakers and TVs to cars, there is often a black box when it comes to what information is being gathered, for what purpose, and who’s getting access to it. That is starting to change with the FCC’s new US Cyber Trustmark program, which will be rolling out and giving consumers information about the privacy and security features of products like we already do through Energy Star with energy efficiency.
The public should be concerned first about vulnerabilities in existing products. Most people occasionally are prompted, and agree, to update their computers, tablets, and phones – few know about the need to update their smart toaster, which depending on the model might not even be possible. And, of course, even updated software can still be hacked by using zero day exploits, or hitherto unknown backdoors into systems that can recruit your smart products to form a botnet and take down a variety of services. This lack of awareness is compounded by the challenges of identifying secure devices for themselves and their families.
With the rapid advancement of AI, how will this matter when it comes to the internet of things?
SS: AI is already impacting smart products, as seen in offerings like Humane’s AI pin that allows you to speak with a bot at the touch of a button. When it comes to security, these models can help defenders guard against exploits, but also will enable attackers to find new backdoors into IoT systems. Most likely, this will serve to supercharge the threat environment making it that much more important both to deal with our existing IoT technical debt in the form of millions of unsecured devices like smart lightbulbs, and not making it worse by putting into place stronger requirements for ‘reasonable’ cybersecurity.
We are just at the beginning of governing AI with cybersecurity in mind, including in the IoT context. There have been a raft of efforts including the EU’s new AI Act, extension of their Products Liability Directive to cover software, and the Digital Services Act. In the US, we have seen a recent Biden Administration Executive Order focusing on AI, along with action at the state and local levels, and a push toward international AI norm building, but so far there are relatively few defined guardrails. Some of the more active states in the US include California, which has an IoT law on the books requiring that Internet-connected devices have ‘reasonable’ cybersecurity – I wouldn’t be too surprised if it also took a leading role in regulating the use of AI in this context even absent federal efforts to secure software, including AI.