The IoT blame game

IoT blame gameThe first Friday the thirteenth of any year is officially “Blame Someone Else Day.” What a delightful thought – that all the failures, inconsistencies, and ill-advised schemes hatched in the previous 12 months could be legitimately handed off to that universal sink of all blame: “someone else.”

After all, apportioning blame helps us deal with the event itself – it turns the unmanageable into the explicable – taking away the sting of the event, and turning it into something we can hope to avoid in the future.

Except, what happens when there is no one to blame, and nothing to do to fix the misstep? Any time there’s a serious security breach, where personal data, credit card data, and the like, gets stolen, we, in the industry, look for someone, or something, to blame.

“Unpatched vulnerability! Unwatched event logs! Inept users!” The list goes on. But we do, at least, have a list to rely on for an explanation. The extent of the breaches is evident and discrete. Files are stolen. Data is exfiltrated. Websites are brought down.

This pleasing sequence of cause and event may be something we should see as a quaint holdover from a simpler time. The ability to point the finger with any degree of certainty may be something we should enjoy as a luxury. Perhaps, even the ability to know that a breach has really occurred is something we might look back on with a degree of fondness.

I’ve said many times before that the IoT changes everything. Deeply and utterly. The reasons are manifold – that the extent to which our everyday lives will be intertwined with this technology is much deeper than anything we’ve seen; that the complexity of the IoT will outweigh anything we’ve ever built before; and, that the scale of the IoT will dwarf any information system we have previously conceived. But, until recently I’d never really considered the profound implications for when things go wrong. Because, of course, go wrong they will.

The IoT will represent tens of billions of connected devices, communicating in complex ways with each other, and occasionally of course, with us. Data flowing in vast, invisible currents, copied, duplicated, created and analyzed, filed and stored. The full flowering of the IoT will be like nothing we’ve ever seen and no one entity, private, government or trans-national, will control more than a fraction of it.

So, what happens when some part of it fails, when a set of devices is misappropriated, when a set of data is siphoned off for illicit use? How will anyone be able to piece together what’s actually happening in time to do more than just look back, shrug, and hope that the next time we are luckier?

As each new generation of technology, each new wave of smart product, service or device, is added, the pressure to “one-up” the last generation, to add more and more capabilities, will be unrelenting and unavoidable. Competitive pressures will cause more and more manufacturers to stuff their products with more and more complex features; enable them to connect to more and more devices; and share more and more data. It will be an arms race of feature-creep that will push complexity off the scale.

And we’ll be terrible at trying to figure it all out. We always are, the first time out the gate, and this will be the case with every new generation of technology. With the IoT, however, the ability to figure out what the heck is going on will become less and less meaningful as our ability to diagnose the problem becomes overwhelmed in the potential interactions.

Perhaps worse than misdiagnosing the problem is that we may not even know when the IoT is failing – when it has been successfully breached. We accept the existence of a “dark web” because the presence of systems and services “off the radar” is inevitable, given the internet’s complexity, combined with certain aspects of human nature that crave privacy (sometimes for very good reasons). A dark IoT is every bit as inevitable. As the IoT develops, there’s a strong possibility of an IoT operation where compromised devices are used to gather illicit information, interactions of data flow are used to breach privacy regulations, and devices are suborned to facilitate crime, surveillance or simple mischief.

The poet Shelley could have been talking about the IoT when he famously wrote in his 1818 sonnet “Ozymandias”– “Look upon my works, ye mighty, and despair.”

The IoT, if it delivers upon its full promise, will be a startling and almost magical creation. It will, without doubt, change our lives for the better. Yet, it will be difficult to fully understand and control all the constituent parts and interactions, and navigate all the potential risks. When parts of it break or are willfully broken, we will be challenged by the reality that there is no one group to blame, no one place to point the finger, no “Blame Someone Else Day” on the IoT calendar.

It will be an uncomfortable feeling. It will challenge us in ways we have not been challenged by technology before. But, if we wish to reap rewards of the IoT, we will need to embrace a degree of uncertainly and loss of control quite unlike anything we have seen before.

Don't miss