Overregulation in the name of security will hobble the burgeoning Internet of Things. We need to be pragmatic about managing security and privacy risks.
It’s been 20 years since the Internet first went public. It started small and grew quickly, in part due to the decision by the Clinton administration to not regulate it. Based on the conclusion that it was better to get the Internet’s economic benefits—even though it came with some risk—rather slowing down deployment to await perfect security, that decision helped unleash the Internet economy.
That was the right choice then, but there is a good chance we will make the wrong choice when it comes to the Internet of Things (IoT) — the fast-expanding network of appliances, industrial machines and other “real” things virtually connected to each other.
The Internet is not secure, and the U.S. loses billions every year from cybercrime and espionage. If we could do it over, some people say, we should pay much more attention to security. Yet that discussion ignores net gain. Yes, the U.S. loses billions, but it gains tens of billions in additional income.
The same applies to privacy — the gains outweigh the loss. Americans traded away privacy for explosive growth in Internet services. Europeans made a different trade — they kept 1970s privacy and got a 1970s Internet economy. People have almost no privacy today, much less than they did in 1999, when Sun Microsystems CEO Scott McNealy famously said, “You have zero privacy anyway. Get over it.” The business model of the Internet is to extract personal data, match it with more personal data, aggregate it, then use it for commercial purposes.
Consumers accept this — the Internet changed their preferences and behavior — but privacy advocates want to subject the data generated by refrigerators and auto tires to stricter rules than were ever applied to the Web. This may make them feel better, but it will not improve privacy — and it will harm innovation and growth.
The debate over IoT security and privacy is skewed the wrong way. If we underestimated risk of the first Internet, we are overestimating risk for IoT. The result of this will be slower growth and fewer new products and services. We need to be realistic about the IoT, using three metrics to think about how to manage risk:
- Scalability — To move beyond pranks, a hacker needs to achieve mass impact. This means simultaneously hacking hundreds or thousands of devices — an unlikely prospect — or finding an IoT device that controls many others. These “command” devices need a higher degree of scrutiny and attention to security, others do not.
- Sensitivity of function — We need to ask how sensitive the IoT function is for human life and safety. Turning off your refrigerator or air conditioning is annoying. Turning off a jet engine in-flight could be life threatening. Devices providing sensitive functions require a higher degree of scrutiny and security.
- Value of data — IoT privacy rules need to match the value of the data. Devices will generate floods of data, but most of the data created will have very little value or pose much risk to privacy, even when aggregated. Simply because IoT data includes personally identifiable information does not necessarily not make it valuable or sensitive. Most IoT data does not need strict privacy safeguards.
When it comes to IoT, one size doe not fit all — and trying to define specific privacy rules or cybersecurity standards that apply to all IoT devices is inane. We do not know what paths IoT innovation will take or how consumers will use it, so we must leave room for experimentation and serendipity. New technologies make societies richer, and technological change is the only source of growth for the U.S.
The right policies for IoT can drive innovation, but a heavy hand will hobble it — particularly if we rely on anecdote or supposition rather than data to shape those policies. We can safely leave decisions about security and privacy for most IoT devices to market forces and the courts.
There is risk in every technology we use — hold IoT captive to our fears and we will sacrifice opportunity.
James Andrew Lewis is a Senior Fellow and Director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS).