With 20-50 billion IoT devices projected to be connected by 2020, cybersecurity vulnerabilities are going to become an increasing problem over the next 3-5 years. This was one of the main topics of focus at last week’s Inform[ED] conference in Manhattan, where some of the industry’s most brilliant and innovative minds convened to discuss the biggest issues and potential solutions the wireless tech field faces. I was fortunate enough to sit down with Rob Alderfer, VP of Technology Policy for CableLabs. Alderfer spoke on the collaborations between industry and government on cybersecurity, the strategies both sides are employing, and how CableLabs is taking initiative in combating current and future cyber threats.
WDD: How delicate would you say the balance of government and industry action is when it comes to improving IoT security?
Alderfer: I think it needs to be a partnership. There needs to be a close collaboration between industry and government. Industry obviously has the technical expertise, global reach, and can rapidly evolve solutions to address threats that arise. Government obviously has a stake in those solutions, and so it’s important that the industry hear their advice, concerns, and what they’re expecting from the industry…that’s what we’re working with.
That’s why we had a policy perspective at the conference with Allan Friedman from NTIA. What I think he [Friedman] is doing is a great model of how collaboration can work with their multi-stakeholder process that NTIA is leading, where he’s convening the relevant experts across all of the domains in this problem space and trying to steer everyone towards common solutions. I think that’s a great model and we’re obviously going to need to continue.
WDD: What are the most polarizing issues and synchronized issues that government and industry entities face when collaborating on improving IoT security?
Alderfer: I don’t think there’s really a uniform answer as to what issues are the most contentious. Frankly, one of the challenges we have is just to explain what we do as an industry and that applies in the IoT space as well. What CableLabs does in terms of technology development I don’t think is very widely recognized in the policy domain, so that’s my ongoing struggle- to make sure everybody is aware of what we’re doing.
The feedback goes both ways because we want to be sure especially when there are major challenges we face as an economy, and society, where policymakers are concerned that we incorporate their views on how to address those issues because often the solutions are just not contusive to someone just writing a law or something happening at a regulatory agency.
WDD: How do government and industry entities respectively differ in strategy for combating IoT cybercrimes?
Alderfer: I’m not sure if there’s any uniform view (surely on the government side of what the strategies should be). I think industries are beginning to coalesce, but even there you see a lot of diversity. There are different thoughts on how to do things, there are different technologies out there. The open connectivity foundations (OCF) on the industry side is big, but it’s not comprehensive. Companies like Google and Amazon are not under the same tent, and we’d like to see OCF bring in as many relevant players as we can.
Even if industry doesn’t all get on the same page in terms of the specifics of the code that’s going to be in every IoT device, I think there’s a pretty good chance of us at least agreeing on some key principles around the need for device identity so that when there is a problem you know what device is causing it. Authentication is important so that when a device connects we know it’s legitimate. We don’t need to communicate more broadly than what’s necessary for a specific device’s functions, which is one thing that can increase the risk of botnets and DDoS attacks. In regards to these factors, we’re pretty optimistic the industry can come to an agreement.
On the policy side, I think things are shifting. We’re seeing the FCC change its stance relative to cybersecurity. There’s obviously ongoing interest from the FCC and other agencies on this issue. One of the good things about NTIA’s multi-stakeholder process is you start to flesh some of that out and everyone gets their thoughts on the table and recommendations are made. At this point, I think that effort is promising and something we want to encourage. I think there’s some room for optimism around the risks, which are real obviously and concerning that we will get to solutions. It’s important to define success here, and I don’t think success is going to be everyone getting on the same page (industry/government) and eliminate the threat altogether.
The quote I liked from Prof. Faulhaber was- “just because you lock your door, doesn’t mean your car’s never going to get stolen”. Setting expectations is important not only for policymakers but for consumers. Facing awareness and trust so people know if they’re buying something and it does or doesn’t meet a certain standard of security, they can make decisions on how to prioritize that recognizing it does come with potential risk.
WDD: What are some of the most challenging gray areas that you think could form from unhinged public policies aimed at improving IoT security?
Alderfer: It’d be best is I didn’t speculate because frankly if we’re thinking about a reactive policy response, it will be reactive to whatever happens. That will be tough a function of events to know exactly what it will look like. One difference we see between consumer IoT devices versus industrial IoT devices is purchasers on the industrial side think more about security than consumers with awareness being much higher on the industrial side.
WDD: CableLabs recently described its BHAG (Big Hairy Audacious Goal) that involves a future built around low-latency connectivity, multi-gigabit networks, virtual and augmented reality, and artificial intelligence. How have IoT security concerns along with potential/currently active governmental policies influenced the company’s progress towards achieving that goal?
Alderfer: Security is really fundamental with all of that (future IoT tech), and needs to be integrated at the design level in any of the network functions of the services that you mentioned. To the extent it’s not by cable or anyone else, we do create risk that it’s not going to happen. Consumers won’t adapt at the rate we would like them to. It’s in the industry’s best interest (cable/ISP) we get security right because that enables everything else, which may come along with the Internet like everything that was previously mentioned. If people stop trusting the Internet that’s not only a problem for services but also a business problem for anyone buying broadband. We’re motivated to get security right across all those demands.