Adaptive IoT Security Standards: Can they work?
19 April 2018
Dr Irina Brass (STEaPP, UCL) and Dr Jesse Sowell (CISAC, Stanford University) present a joint research project that looks into the options available to create more effective, responsive and dynamic security standards for the Internet of Things (IoT).
We know IoT is a priority for a number of technical communities, but, recently, we have recognized the complementarity between two in particular: the standards-development community and the anti-abuse community. Both are highly concerned with cyber security vulnerabilities, both have an interest in eliminating those vulnerabilities, and each has developed different, yet we believe complementary, means of promoting a responsible level of security at different points in the IoT life cycle. So, we asked a very simple question: Can we combine the expertise and mechanisms used by these two communities to more dynamically respond to ongoing IoT cyber security issues?
Given our engagement with these technical communities, we have a good understanding of the processes and solutions that each is proposing to minimise cyber security vulnerabilities, and most importantly, the inherent trade-offs of these solutions. For instance, we know that formal standards-development has the benefit of being an iterative and deliberative process that aims to ensure technical consensus, but also has the side-effect of being relatively slow and lengthy. However, operational cybersecurity communities such as anti-abuse continually highlight that cybercriminal innovation moves much faster than even the most streamlined standards process. This is becoming especially evident when it comes to the development and exploitation of IoT-based attack platforms. It is important to investigate if we can learn from and combine these mechanisms---ex ante standards development and ex post monitoring and enforcement---into a process that can more proactively respond to the vulnerabilities that insecure IoT brings.
If you are interested to learn more about this project, listen to the recorded discussion between Dr Sowell and Dr Brass below. The conversation highlights the challenges of setting a baseline for responsible IoT security, as well as the opportunities of combining reputation mechanisms that are familiar to security professionals with de jure and de facto standards-development processes for IoT cyber security and safety.
Dr Sowell is a
Cybersecurity Fellow at the Center for International Security and Cooperation
(CISAC) at Stanford University’s Freeman Spogli Institute for International
Studies and an Honorary Lecturer at UCL STEaPP. Dr Sowell is Co-Chair of the
IoT Special Interest Group (SIG) at the Messaging, Malware, and Mobile Anti-Abuse Working Group’s
directs M3AAWG’s international outreach efforts.
Should this topic be of interest to you, have a look at our Digital Technologies and Policy (MPA) programme. Applications are now open!