Print 

Like it or not the Internet of Things (IoT) is coming. It will involve at least an order of magnitude increase in the amount of devices connected to the global Internet — something that is now a criti- cal piece of global infrastructure using the TCP/IP protocol that was never designed with security in mind in the first place.

One of many problems with the IoT is that it is neither well-defined nor well understood. It comes in a multiplicity of forms that hinder the needed policymaking between private and public forces on which the current Internet depends. One form is a series of networked applications where various devices collect information at the periphery of the network and phone home to the clouds of their owners. Here we talk, for the most part, about appliances, consumer electronics and network equipment and devices set up to interface with the mobile phones of their users. The vast majority of use occurs in cases where the five or six most important network platform owners operate the equivalent of fiefdom’s where Google Apple Facebook and even Amazon let alone Microsoft are ea- ger to schedule an interface of your daily activity vis-à-vis the Internet. In return, for giving you allegedly the best advice on how to schedule your life, they want your data not only from your phone and perhaps your TV in addition to your computer but why not add in your refrigerator as well?

 

In contrast to this there is another Internet of Things that is in many ways far more pervasive and ubiquitous. It is one running on networks of sensors. These networks were first called the Internet of Things by Kevin Ashton as early as 2009. They now function where measurements of one sort or an- other need to be taken and reported in to some more central facility. They can perform in benign ways in cities telling governments when trash cans are full and need to be emptied. Measuring how much water is left in reservoirs and even doing chemically based air quality checks mean that it is now possible to replace complex and expensive systems demanded by law to bring tech to the envi- ronment. Such systems used to need to be replaced every two or three years at a cost of several hundred thousand dollars to a system that can achieve the same mandate but can be renewed or installed at a cost of well under $1000. These systems communicate almost entirely over smallish wireless local area networks where they transfer data to servers that may or may not be connected to the Internet at large.

 

Since these devices can do things like turn on and off components of critical infrastructure, their security becomes quite important because, as we have seen on an almost daily basis, there seem to be more malevolent hackers out there than “good guys.”

The difficulty of the current situation is increased because, due to the speed of changes over the past five years, the regulatory system has been unable to provide the customary protection. That system has been counted on to provide some protection for the interests of the public at large who, in many cases, depend for their very lives on the integrity of Internet infrastructure. In addition to the usual difficulty keeping up with regulatory mandates, we have a situation where in the United State, the problem has ben compounded by fallout from the Republican’s closure of the United States internationally respected Congressional Office of Technology Assessment (OTA). The neutral public policy studies of OTA have since 1994 been replaced by K St. lobbying papers that champion the interests of their particular corporate sponsors.

As a result, we have in the United States, a situation where, as this issue will show, the major pro- ponents of the Internet of Things are divided into two camps. On the one hand we have the rep- resentatives of the “administrative state,” to borrow the current term popularized by its opponents in the current administration. These folk are represented by internationally respected experts on Internet security like Bruce Schneier who pleads for regulation of what he views as such an ap- palling lack of security that it seems that he can see the current situation only in the most apoca- lyptic of terms. “Click Here to Kill Everyone” is the provocatively titled very recent article by Schneier from which we offer lengthy excerpts in the pages that follow.

Virtually no one to whom we have talked denies that there is a serious security issue lurking in the IoT. The question appears to be how to handle it. We illustrate it in part by presenting a loose tran- scription of a recent IRT security panel showing the large variety of people involved in trying to figure out how to deal with what is happening. And what we are seeing is cases where cheap and virtually unprotected devices like Linux-based network routers used as consumer premises equip- ment are being hacked and cobbled together in botnets that have carried out distributed denial of service attacks on significant public websites where traffic totals in the hundreds of gigabits per second. The primary example of this being MIRAI. And during the first week of April 2017, we have also seen the emergence of a similar new botnet which at this time is “bricking” the devices it infects by means of corrupting their ability to carry out the functions for which they are being used.

But on the other hand there is an opposing point of view being taken by well-meaning people who maintain that the "free market” can be relied upon to force manufacturers to clean up their act and keep disaster at bay. This alternative point of view is represented in this issue by an interview with Ken Miller whom we met about five years ago when he was working for the Midwest Power Authority, an entity involved in maintaining a major portion of the North American electric utility grid. Ken showed his engineering talent when, in a discussion lasting about three weeks with Neil Davies of Performance Network Solutions, he was able to present a generally understandable explanation of an approach to Internet traffic engineering that flew in the face of standard network tradition and as- sumptions.

Ken is currently involved in an Internet of Things consulting business in Indiana and in, his free market orientation, he appears to be prepared to accept the risks of a free market approach. Per- haps the difference between the two sides here is that because of an inherent faith than a success- ful IOT approach to certain markets will pay huge and much-needed economic dividends that might otherwise have to be foregone.

It is not the purpose of this issue to choose the public safety security approach over the more free- market risk-taking approach or vice-versa. But rather our purpose is to get a more clearly focused understanding of the lay of the land. And in this case the final issue that seems to be extremely nec- essary for any kind of sound policymaking is that we need to better understand changes in Internet topology and indeed general power structure before we can comfortably choose between the interests of what used to be known as the public good and those of the more powerful technology fiefdoms that appear now to be calling the shots. We note that there are huge monetary fortunes to be made by those who can corner emerging and fast-changing markets.

Because the Internet of Things affects the stability and survivability of mission critical infrastructure, our ability to monitor network wide security issues becomes of increased importance. In this case we must also pay serious attention to the technology changes of the past four or five years that have rendered, according to Geoff Houston, forensic tracing of network attacks virtually impossible. We may collect it all, but it is now buried between so many layers of encrypted complexity that the chances of finding the needle in the haystack of global data before the terrorist has carried out his or her attack is no longer possible. This issue then offers its readers the reasons for serious concern over security of IoT devices on the one hand while, on the other hand, it gives a platform to the idea that more free-market regulation is not needed because it will kill technology progress and cost too much in lost income by taking actions that can be shown unfortunately only after the fact to have been real- ly necessary.

The problem is multi-layered. The United States Congress passes laws imposing or enabling new technologies. From the early 1970s the Congress had a small research division charged with the re- sponsibility of doing neutral policy studies informing administrators regulators and the general public of the various policy issues involved with an increasingly rapid onrush of new technologies. Thanks to action led by Newt Gingrich in 1994 that globally respected office has been abolished. Its abolition has enabled the takeover of Internet policymaking by lobbyists who are more interested in maximiz- ing Corporate financial returns than anything that could be called a public interest.

While ideally one would hope for more neutral and balanced policy guidance that used to come from the U.S. Congress Office of Technology Assessment, since we no longer have such an office, we are faced with seriously opposing and conflicting alternatives. The first being that of recognizing the seri- ousness of security breaches that if things go drastically wrong could bring down critical parts of our physical infrastructure. Human lives will be at stake and conceivably vast numbers of human lives.

There are two basic alternatives want to try to protect our citizens by responsible regulation of this new technology. However. as regulation is seen increasingly as the enemy, it is time to realize that the so-called free market approach may dominate and that if it does so, extraordinarily strict attention must be paid to security issues.

This issue of the COOK Report comes in two parts. Part One explains and outlines security issues and concerns about threats to critical infrastructure. Part Two gives an approach to a more free-mar- ket point of view by means of an interview with a knowledgeable engineer from Indiana who is deeply involved in policymaking regarding the implementation of the Internet of Things in that state and elsewhere. We also offer a Conclusion based on the analysis of Geoff Houston Chief Scientist of APNic of recent changes in the basic geography and power structure of the Internet where a handful of global platforms have become supreme as delivery mechanisms for content and where the platforms have been installing their own changes to basic Internet protocols such that when combined with ever increasing use of encryption (post Snowden), forensic tracing of network-based attacks is no longer possible. (We have also a added brief up date on Guifinet.) Regardless, it appears that the only alter- native at this point is to try to inform the public and hope for the best.

Contents

Introduction: Technology Driven Whiplash

The Internet of Things
Wanted a Policy Framework for Public Education
A Complex Issue Examined from Two Differing Points of View The Socio-Economic Context of these Developments

Part One — Bruce Schneier on Security and the Internet of Things

Comments on Schneier's Analysis
Internet and the Insecurity of Things | RSAC Live Panel Nutrition Label
Need for Ability to Define Minimum Standards Underwriter Labs Approach?
Let's Come Back to Schneier's own Wrap up

Part Two: Introducing Ken Miller on Indiana and Focusing on “Free market IoT” from this Point Forward

An Industry Approach to IoT
Home and Office Internet of Things –
Uses of Surveillance to Detect Everything from Shoplifting to Workplace Mood
Measuring Subjectivity
The Electric Grid
Monitoring What Happens in your Home Ethical Use of Machine Data
Precision Agriculture

Conclusion
The Platform Network Faces Security Issues

The Interrelationship of the Network Platform to its Physical Security Reinforces how Platforms scale as Everything else Becomes
just Clients
We Have now Arrived at the Internet's Gilded Age

Some Basic Internet of Things Definitions from Apricot
That trend is IoT
The Platforms March On via Layer on Top of Virtualized Layer

A Two Year guifinet Update: January 2015 to February 2017