TT06 Security for the IoT Era

IoT devices have enhanced value by collecting more detailed and broader information, but have increased the risks from data breaches and large-scale cyber-attacks. While we certainly see that the value associated with utilization of data is realized, it is necessary to change the way we treat and protect data.

What we are doing

Escalating Cyberattacks

The spread and escalation of damage caused by a variety of cyberattacks know no boundaries. Today, the process that starts with these attacks and ends with funds recovery has been established as a business model. As criminal programs proliferate, more copycat offenders emerge, which encourages the techniques and tools to be continuously strengthened. This vicious cycle is accelerating.

Data breaches are steadily increasing and billions of individual user accounts are leaking. This information includes account data of online services, email addresses, associated passwords and sometimes secret questions and answers. This personal information is traded on the dark web, an Internet space accessible only by a special means. The damage is usually exposed two or three years after the fact. As a result, it is imperative to foster human resources that possess the skills to detect leak-seeking cyberattacks, deal with the ever-changing modus operandi and continue to protect information. Because it is virtually impossible to completely prevent attacks, the promptness of detection and recovery is vital. Efforts are underway to use technology to cut the affected section away from the network at a high speed, as well as for AI-assisted automatic protection.

Ransomware damage also continues to spread. Ransomware, also called ransom-demanding malware, encrypts infected data in a computer to make it unusable and demands ransom for decryption. It became common around 2013, and remains an effective means of attack. Cyberattackers purchase low-cost ransomware tools on the market, distribute them and wait to obtain ransom, repeating this “business.” It is difficult to control this crime except by improving the literacy of the public. The damage is expected to continue.

IoT Worsens Cyber threat

In 2016, IoT was much discussed as an element that makes cyberattacks more serious. IoT devices, which include surveillance cameras, network devices, video recorders and electric meters, are powerless, stand-alone computers that are always connected to the Internet, and therefore exposed to the risk of information breaches and takeovers. These devices tend to run for a long time with a well-known initial password. Cyberattackers look for these “stray IoT” devices on a daily basis, and upon finding one exploit its vulnerability.

By the end of 2016, the number of stray IoTs in the world rose to hundreds of thousands. Cyberattackers organized them as a botnet, a group of bots working for Cyberattackers, and used them in the largest DDoS attacks in history. Huge amounts of packets were thrown onto specific websites in classic attacks disabling access to those sites, and resulting in enormous damages where multiple online services were suspended. A variety of similar attacks ensued. As with other cybercrimes, the IoT botnet is probably already established as a business and its use is on the rise.

The search for specific security measures to respond to IoT security threats is gathering speed. Using the computer security knowledge already established for IoT, it will probably be possible to eliminate IoT’s vulnerability. However, it is difficult to deal with the costs for such measures, combined with the lack of incentives for action. The imposition of liability to IoT device manufacturers, and authenticating and labeling these devices to prevent the emergence of stray IoTs, is currently under discussion. In Japan, an IoT security guideline was published and detailed measures are under review.

Rapid Rise in the Quality and Quantity of Personal Data due to IoT

The value of secured data, especially personal data that should be protected and kept intact, will be changing. Traditional personal data includes data that users registered themselves, and those in which users’ behaviors on the Internet were recorded. In the future, personal data will include behavioral and biological information of individuals that IoT devices capture from the physical world. As information continues to increase, it is assumed that a dramatic improvement of analytical ability will determine more detailed attributes of individuals. Even today, personal data on the Internet, such as clicking actions on a browser, postings on an SNS and products selected, are thoroughly collected. For example, the reason for the extremely accurate recommendations made about on-demand videos is the presence of a system that records and analyzes the user’s viewing history, time, search history, pausing, fast-forwarding and even scrolling actions when selecting a video.

In the future, more information will be added to the data on individual behaviors that are observed by IoTs in the physical world. For example, a wearable device will obtain heart rate, blood pressure, running distance, speed and position information. A navigation system will collect the driving area, speed and vehicle condition. A security camera will catch images of a face, which is automatically identified and analyzed. A system records the rail stations where you get on and off a train, duration of a ride and the time it takes to change trains. As long as the user agrees, all this information will be attached to personal data, making personalization more robust.

Additional data created through estimation by AI based on huge amounts of combined personal information could bring negative results and disadvantages. For example, if estimated data such as health condition, healthy life expectancy and the possibility of illness in the future is created, all kinds of personalization could happen; from the presentation of certain drug advertisements to the control of advertisements soliciting for insurance policies or loans. This negative estimated data is produced before the individual realizes it, so it cannot be changed even if the information is wrong. This will cause disagreements if individuals have no way to alter the wrong information.

The Status of Security and Information

As we face problems about treatment of widely-collected personal and estimated data, we can no longer avoid the key question of who owns the data. Currently, information about private citizens belongs to companies that collected and analyzed that information. As a result, many countries require the agreement of private parties on the collection of their information, and/or have legislation that governs the use of such information by third parties.
Trials are starting to build a data trading market that promotes the fee-based distribution of valuable information. Meanwhile, there are services that use anonymization technology to process the collected personal data into forms unidentifiable as any individuals, so that the data can be used in marketing without approval. The GDRP (EU General Data Protection Regulation), which aims to protect particularly critical personal data, is expected to go into effect in May 2018. The time has come for companies to build specific plans to adhere to this framework.

Large companies, who hold a dominant position on the Internet, particularly in the information distribution by smartphones, have already established a system where individuals who provided personal data can control their own information. In addition, in an attempt to acquire the information on IoT devices, they are expanding their service menus. They are also providing a console where users themselves can configure the opt-ins broken down by types of information, the viewing of collected information and the customization of advertisements. In other words, large companies are building a system to store information, while meeting the changes in the status of information.
It is possible to create an organization to counteract this oligopoly and to actively distribute information. However, it will be a long-term challenge to establish a business model where the new organization will acquire the trust needed to take care of large amounts of information and protect it. One of first ideas may be data exchange markets for open data collected by IoT devices, which a public organization owns. Accumulating such experiences will lead to the next stage of dealing with valuable information, such as personal information, which generates more profit.

What are you looking for? search