Foreword

I was overjoyed to hear that my friend Nitesh Dhanjani was writing a book about the Internet of Things (IoT). It’s a field that equally excites and terrifies me.

Major security breaches are near-daily events in the news. The frequency and scale of these breaches has made us somewhat numb. As modern societies, we have come to accept that the benefit we receive from adopting innovative technologies exceeds their cost and risk (at least in the short term). Our collective failure to fundamentally “do something” to change this pattern of insecurity is prima facie evidence that we value benefit over risk.

The key to this “benefit is greater than risk” equation is that the historical risks that have manifested themselves are mostly of an intangible nature. They involve information and money. Now, suppose the consequences were to become tangible: cities plunged into darkness, medical devices killing patients, refrigerators spoiling food, drivers losing control of cars, airplanes falling from the sky, and on and on. Would we still be as tolerant of technology failure as we currently are?

I suspect that our concept of risk has evolved with a strong bias toward physical consequences over intangible, abstract risk. This is perhaps one of the reasons that information security risk is difficult for most people to conceptualize. I also suspect that, as information security breaches manifest themselves physically, we will rethink the risks of the IoT.

In “the real world” there are many construction codes that define requirements for physical infrastructure, and licensed engineers and inspectors to ensure compliance and accountability. When will we reconsider what security should mean in a world saturated with billions of connected devices?

I can only hope that those who read this book will see that the technology investment cycles that we have depended on for delivering innovation should be rethought for connected devices. Applying development and quality control processes that are designed for rapid innovation, low cost, and short product lifetimes will fail to prevent further erosions in our security and privacy.