Tag Archives: governance

Testimony before US-China Economic & Security Review Commission re IoT & 5G

Leave a reply

Earlier this month, at the invitation of the US-China Economic and Security Review Commission, I submitted written testimony and subsequently testified at the China, the United States, and Next Generation Connectivity hearing regarding IoT Systems risk mitigation for institutions and cities as well as considerations regarding 5G deployments on the same.

A copy of the written testimony is here. A transcript of the oral testimony will be available in the next weeks.

The testimony discussed potential benefits of IoT Systems for US government, cities, universities, other institutions, and companies. It also discussed risks to those same entities from IoT Systems implementations. The risks discussed include:

  • Supply chain risks
  • Poor selection, procurement, implementation, and management of IoT Systems
  • Lack of institutional governance and lack of awareness of social-technical issues in IoT Systems deployments

Prior to the testimony, I was asked how the US government could help. I suggested these four areas in the testimony:

  • Standardized provenance vetting and reporting for IoT device components
  • Support for increased US labor force training in Operational Technology (OT) skill sets
  • Support for development of institutional and city IoT governance frameworks
  • Support for data ethnography and socio-technical research and application in context of IoT Systems

The testimony also included comments on supply chain risks:

Provenance of multiple components across thousands, millions (or more) devices is challenging

As well as aspects previously discussed in this blog such as the ability of an institution or city to manage their IoT systems:

where the wild things are [reference to Sendak]

Full written testimony is here:

https://www.uscc.gov/sites/default/files/Chuck%20Benson_Written%20Testimony.pdf

Avoiding a Tragedy of the Commons

Leave a reply

So maybe SMB Information Risk & Security doesn’t have to be a Tragedy of the Commons.

Admittedly, at initial glance it appears that it has to be. So many SMB’s have so few resources — they rarely have security expertise, typically have very little IT expertise, and probably zero information risk management expertise. Again, the reasons for this are not difficult to see. Their resources are limited and many of the traditional enterprise approaches to risk and security simply don’t scale down cost-effectively. 

What's one more fish? (Image by Earth'sbuddy [CC-BY-SA-3.0] via Wikimedia Commons

What’s one more fish?
(Image by Earth’sbuddy [CC-BY-SA-3.0] via Wikimedia Commons)

This is why risk and security for SMB’s can appear to be a Tragedy of the Commons. As discussed a couple of posts ago, a Tragedy of the Commons as introduced by Hardin in 1968 covers such scenarios as overfishing a portion of the ocean or overgrazing a pasture. Each individual actor, whether fisher getting one more fish or farmer putting one more cow on the pasture, contributes to the demise of the shared resource for all in the long-term while acting on self-interest in the short-term.

Similarly, it was suggested in the post, that the Internet is a shared resource for SMB’s. When an individual business is attacked, 1) the business can suffer itself, and/or 2) the business is used as an attack platform on other businesses which diminishes, i.e. depletes, the utility of the resource. However, in the short-term, the SMB has a hard time justifying risk management and security investment on its own behalf because it requires internal resources bound for marketing, R&D, production and similar.

Solution to Prisoner’s Dilemma Approach

The Tragedy of the Commons idea introduced by Hardin is similar to the Prisoner’s Dilemma  where it is assumed that there is no (or little) communication between actors – prisoners, in this case. While working independently and integrating previous and existing research, Elinor Ostrom  , 2009 Nobel Prize Winner for Economic Sciences (shared with Oliver Williamson), showed that there were many examples of successful sharing of a common pool resource (CPR). She asked the question, “Are rational individuals helplessly trapped in dilemma’s?” To answer this, she studied irrigation systems in Nepal, forests around the world, fisheries, police and government systems, as well as studies in her own laboratory.

Among other things, she clearly pointed out that there was indeed communication between the actors that were successfully sharing a Common Pool Resource. Further, a key component amongst actors in successful common sharing was trust.

Polycentric Governance Success

Follows are a number of her observations from her Prize Lecture entitled, “Beyond Markets and States: Polycentric Governance of Complex Economic Systems” . I am not suggesting that these observations directly map into the Common Pool Resource problem of SMB’s sharing the Internet. However, I do believe that they are worthy of reflection in this context and can serve as the basis for further discussion. (That said, I think the title itself may hold clues to the SMB Tragedy of the Commons problem.)

  • panaceas are potentially dysfunctional
  • small to medium-sized cities are more effective monitors of performance & costs
  • dissatisfied citizens (group members) can ‘vote with their feet’ and move to another group
  • large, incorporated communities can change contracts with external providers, but urban, less structured, districts have no voice
  • Re police in metropolitan areas, large number of direct service producers (e.g. patrol) more efficient while small number of indirect service producers (e.g. dispatch, crime lab analysis) more efficient — that is, most efficient was mix of large and small
  • complexity is not the same as chaos and it is often worth the investment to better understand the complexity
  • groups that did not communicate were more likely to overuse the shared resource
  • 5 types of property rights discovered, not just one (access, withdrawal, management, exclusion, & alienation rights)

Successful shared resource scenarios tended to have these traits:

  • boundaries of users & resource are clear
  • congruence between benefits & costs
  • actors had procedures for making their own rules
  • regular monitoring of resource and actors
  • graduated sanctions (against rule violators)
  • conflict resolution mechanisms
  • minimal recognition of rights by government
  • nested enterprises
  • users/actors themselves are active monitors of resource consumption (i.e. not a 3rd party)

Other observations:

  • users monitoring resource themselves more important than type of resource ownership
  • stronger when local communities have strong rule-making autonomy and incentives to monitor
  • behavioral theorists now looking at actors/individuals where individual is boundedly rational, but can learn
  • learning to trust others is central to cooperation
  • healthy resources have actors/users with long-term interests in the resource and invest in monitoring and building trust

What are parallels between these observations and secure-SMBs-on-the-Internet-Tragedy-of-the-Commons issue? Should government intervene? (these observations don’t make a strong case for it) Should trade groups organize rules? Should small, geographically similar SMB’s develop their own working groups somehow? Should SMB’s across the globe of similar size organize and develop membership rules re Internet participation? Are there other natural alignments amongst SMBs?

How do we increase the safety and security and lower the risk profile of SMB’s on the Internet?