Cyber Canon Book Review: "The Internet of Risky Things: Trusting the Devices That Surround Us" (2017), by Sean Smith
Book Reviewed by: Greg Day, VP and CSO, EMEA
Bottom line: I don't recommend this book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.
With 5G pilots happening in 2019, the IoT world has the potential to hit its much-discussed population explosion. However, today there are already a significant number of IoT devices deployed. This short book walks through previous lessons learned and anecdotes, with the goal of challenging us to learn from them. With such an evolving and complex topic it has to, at times, delve into some of the more technical details, but always takes the time to use analogies to ensure fundamental concepts can be grasped and make it readable to all.
The author looks at the technological and commercial challenges, tackling the tough trade-offs between keeping costs of IoT devices down and the overhead that cybersecurity can add to this, both in terms of production costs and maintenance. He also brings in a discussion of how and why there needs to be consideration of the longevity of capabilities and expiration requirements within IoT devices.
The book starts with numerous tales of woe. The author assumes we will trust that all the facts he cites are genuine and correct, but the book lacks the evidential details. It initially shines light on the negatives of technology and early IoT implementations in society, but as you read on, there are many references back, so this context does later become important.
Reading the book, it’s unclear who is the primary audience. In some ways, its explanation and translation of the nuanced complexities of how and why different security exploits occur and a 101-style introduction to encryption methods point the book to the less technical or more senior business executive. However, as I continued reading through it, I found a number of very practical aspects that would help any IoT startup, technical group or security team looking to architect their IoT security strategy. Yet at the same time, the author does an excellent job of drawing most of his points back to real-world examples and also lateral examples, thus allowing a very broad audience to grasp the points he is trying to convey.
For example, one reference point that the author comes back to numerous times is the “cyber love canal,” which is a reference to the Love Canal neighborhood in Niagara Falls, New York, where toxic chemicals were buried, and later developed over. After numerous major health problems ensued, the area was abandoned. The author points to whether areas of cyberinfrastructure could potentially become uninhabitable due to widespread infection or loss of control.
The book also looks discusses the broader social and ethical discussions, such as:
- Privacy – Since most IoT devices gather some level of data, a key value for IoT is connecting processes/systems and sharing data. What does this mean in terms of consent and privacy and who really is the customer, you or big data gatherers?
- Trust – Be it medical systems, autonomous cars or simple speeding camera systems, what level of trust should we put in digital systems, what are the redundancies around these and could such technology be used to subvert the truth?
- Accountability and liability – When things don’t go according to plan, what is the responsibility model? Can you simply write that away in contractual terms?
For a senior leader, there is way more detail than is required for key business decisions to be made, and for a technical engineer, the examples and anecdotes may be a distraction from the raw technical insights. However, the book is written in a very readable style. I came to the conclusion the book really suits anyone who has a personal interest in how society is going to change through IoT adoption over the coming decades. My perception is that the author is a pessimist, and the reality is that the book looks at all the bad things that can occur. As more of an optimist myself, I was looking for a better balance of all the benefits IoT also provides.
Another challenge the book touches on is finding the balance between the benefits of the information that can be gathered when our lives are surrounded by technology versus the implications that may have on our privacy. It asks who really benefits from IoT: the consumer or the big-data-gathering entities and those with access to the data?
Today, there is all too often an assumption that data is fact. However, the author rightly gives examples showing this is not always true. For speeding fines generated through technology (such as speed-detector cameras), there have already been cases of the technology being proven wrong (such as through miscalibrated devices). Whilst for speeding this leads to financial and potentially personal brand issues, in more critical systems, this could have a more significant impact on human lives and society as a whole. As such, how do we put in the appropriate safeguards, and what would be a healthy level of skepticism to maintain?
Two lines that sum up the book’s view of IoT are, “Computers only do what they are told,” and, “It’s not easy to codify correct human behavior.” Technology brings amazing opportunities for business and for society. IoT has the ability to take many processes – be they simple or complex – and codify them into a digitized version. The mind-blowing opportunity comes from how each of these can be interconnected. As humans, we must consider both the positive and negative implications as we do so, hopefully, so we can mitigate as much of the latter as possible.
In summary, this is a short, very readable book that’ll give you insight into the questions to ask your business and also your family and friends about the risks and concerns in our growing digital world. It focuses on the negatives, but if we want to enjoy the positives that can be derived from IoT in decades to come, we must learn from the experiences of digitizing processes over the last few decades.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!