IoT at MIT CIO Symposium, Part 2: IoT's Unholy Trinity

CAMBRIDGE, Mass. -- The Internet of Things basked in the spotlight at last month's MIT Sloan CIO Symposium, but all of that glare did bring to light some of IoT's major issues.

Internet of Things security is top of mind here at Telco Transformation. A recent Telco Transformation poll asked, "What is the biggest challenge of the IoT for your business?" "Security" was the top choice for the majority of respondents, coming in at 56%. (See Polls: Security Looms Large for IoT.) A similar poll question asked during a recent Telco Transformation webcast yielded a result of 53% for "security."

Panelists and presenters at this year's MIT CIO Symposium seemed to confirm Telco Transformation's findings in their insights. To be sure, IoT in general was the hot tech topic throughout the day at the symposium. It was not, however, originally slated to be the primary focus of a panel discussion, titled "Big Data 2.0: Next-Gen Privacy, Security and Analytics."

All four panelists, however, were eager -- perhaps cantankerously so -- to weigh in on the security, privacy and even regulatory challenges facing IoT now and in the future, including lamenting the negative impact that existing compliance and data-stewardship concerns have on IoT innovation.

"We all have been breached once in the past three years," Niraj Jetly, NutriSavings CIO and COO, pointed out on behalf of himself and his fellow panelists. "And more regulations are not helping."

Jetly's co-panelists were similarly skeptical of the benefit of new data-protection and security regulations where IoT is concerned.

"We are Balkanizing the Internet, moving back a decade ago when you had regional pockets of connectivity," blasted Anthony Christie, CMO of Level 3 Communications, of IoT on the same panel. "It's not just regulation; it's also the state of the [entire] legal system."

The panelists further agreed that the region-by-region guessing game of what's next, regulation-wise, for IoT has made things difficult for innovators.

"It's impossible to predict what is going to come, [and] if your organization is waiting to hear what the regulations are and you respond with the data strategy... you're gonna lose," said panelist Rob Thomas, vice president of product development for IBM Analytics. "Not even Watson can predict regulations. [Trying] to play the 'what-could-happen' game -- that's a recipe for wasted investment."

Meanwhile, panelist Ricardo Bartra, Americas Global forwarding SVP and CIO for Deutsche Post DHL, spent much of his speaking time repeatedly urging that IT leaders pose themselves this question: What are the minimum viable requirements for IoT data-protection compliance?

"Compliance does not equal security," Roota Almeida, head of information security at Delta Dental of New Jersey, warned dozens of symposium attendees during a later panel session that actually was designated for IoT cyber security discussion. "Compliance is good, but just because you're in compliance with the regulation does not mean you're secure."

Others on the IoT cyber security panel agreed that "check-the-box" compliance has only limited benefit where real, meaningful cyber security measures are concerned for IoT.

"The [compliance] frameworks -- they're not a cookbook and they're not a magic tool. [Before you apply them,] you really have to understand your business and the risks that are surrounding your business," cautioned Mark Morrison, State Street Corporation's CISO and one of Almeida's co-panelists. "A lot of companies that have more senior risk are probably moving away from the compliance checklist."

Still, Morrison allowed, security and privacy compliance frameworks -- such as the NIST Cybersecurity Framework -- do become advantageous if they become a standard. Standards, after all, allow better data-protection preparation while still fostering innovation.

Symposium attendee Lucy Lombardi, Telecom Italia's Senior Vice President of Innovation and Industry Relations, agrees that at least some of IoT's security problems can be resolved through technology and standards.

"Only 8% of IoT devices will have a SIM, and therefore be authenticated via secure mechanisms," said Lombardi in a post-symposium interview. For this reason, Lombardi indicated, Telecom Italia wants IoT devices to be treated, technologically speaking, more like traditional mobile devices.

"We are promoting in [the] GSMA the integrated UICC," or Uniform Integrated Circuit Card, said Lombardi, "whereby the standardized secure authentication mechanism developed for [the] mobile industry could be extended to any IoT device having a chipset that doesn’t necessarily need to be linked to licensed mobile connectivity."

IoT standards, however, may be a long way away.

"It took 15 years to get a standard for RFID," Level 3's Christie pointed out. "I remain skeptical [that IoT will get a standard] anytime soon."

If standards bodies and regulators cannot be relied upon, then, one of the first steps of implementing an IoT solution is to have a proper appreciation for the security risk, just as with any other connected device.

"There is no data that is not valuable to someone," observed Almeida -- advising that organizations take a bottom-up approach to IoT data protection, "putting in the controls from the beginning and making sure that the data is private."

Speaking on the same panel as Almeida and Morrison, Intel Security government- and education-solutions executive Tom Eilers related a cautionary tale of a university he visited.

"The power system of the university got hacked," said Eilers. "Everybody was paying attention to the students; nobody was watching the infrastructure."

Moderating the panel, MIT engineering and IT professor Stuart Madnick (who is also director of the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity), presaged that IoT hacks like these are only the beginning.

"Imagine the police coming, knocking down your door and arresting your refrigerator for sending porno to high school students," Madnick told the panel audience. "It's just a matter of time."

— Joe Stanganelli, Contributing Writer