The following op-ed was written by Dr.-Ing Monika Freunek, a research fellow with the Catalyst Fellowship Program, and was first published in the Toronto Star on March 20, 2023. 

As the U.S. government grows increasingly concerned about Americans’ data on TikTok, President Joe Biden officially announced his intention to ban the Chinese-owned app unless a new buyer is found. This move — and the recent ban of TikTok on Canadian government employees’ devices — is impressive in its decisiveness and both are noteworthy attempts to regulate cybersecurity in the Internet of Things (IoT).

The current IoT world involves billions of computing devices equipped with sensors and communication. Whether it’s smart coffee makers, voice control systems such as Google Nest, smart watches and phones, location tracking AirTags, or smart meters, IoT devices are in our lives for a variety of purposes — and sometimes they collaborate. Indeed, many of these devices carry more than 10 sensors and often users are unaware they are even there.

The IoT has become a paradox: we know it is not trustworthy, yet we entrust it not only for our entertainment, but our most private data , our economy and critical infrastructures. The risks and vulnerabilities of distributed computing are as widespread and pervasive as the IoT is.

The problem is a growing number of vulnerabilities are impacting both the individual and national security.

Security flaws of the Signaling System No. 7 communication protocol used in mobile phones have been known for over a decade and allow for eavesdropping or the bypassing of two-factor authentication. Others enable remote access to medical and other IoT devices, their data and their configurations.

Fortunately, regulation on cybersecurity is gaining traction. Yet regulators still struggle with how to tie-in cyberattacks with international law, military strategy and national standards.

Unlike in conventional warfare, cyber actions can remain undetected for a long time, and their motivations are not immediately apparent. International law on physical attacks and the integrity of national borders is well-established, but achieving an international consensus on cyberattacks will likely take years.

Citizens, then, bear a great deal of responsibility and the current educational and operational means for individual protection are limited.

Current and future IoT risk management is already challenging for cyber experts, and neither a common definition of the IoT nor standardized security metrics exist to help navigate the mess. For manufacturers seeking higher security levels, this presents a competitive disadvantage, and customers are unable to understand how truly secure their devices are.

Global legislation efforts for regulating IoT, such as U.S. IoT Cybersecurity Improvement Act of 2020 or the proposed Canadian Bill C-26, differ in their definition of the addressed devices, leaving significant security questions open — including the handling of legacy devices that cannot achieve the required security.

In a recent study with cyber experts and various professionals conducted by Toronto Metropolitan University, there was a consensus that, yes, digitalization is essential but that IoT devices are neither secure nor expected to be securable in the future.

From a technological point of view, this is well-supported: computing resources of IoT devices are low, which ultimately limits stronger security measures such as encryption. Many devices offer easy physical access, allowing for manipulation.

Finally, there are little — or even inverse — incentives to meet basic security measures. This makes the IoT the most effective target in the cyber environment, allowing entry to other IT systems. Hence, the attack numbers on IoT devices are skyrocketing.

The inverse financial incentives also effectively punish redundancy measures. Systems we use every day are designed to protect from potentially disastrous consequences if critical components fail. When a plane engine fails, another one will kick in. Where an electric sliding door in a supermarket has a manual emergency option, an IoT system will too often either work or fail.

Currently, the possibility of failure of IoT devices remains unaccounted for even in the most important infrastructures. Apart from cyberattacks, IoT systems might also fail due to power outages, physical damage or sabotage.

In order to secure the IoT, we need to make realistic cost-benefit assessments that take safety and security into account. The concerns around TikTok are just one example: too often, our connected devices carry much more potential impact for us and our society than we are aware of. We need to be ready for the very real risk of failure of our IoT devices.

Monika Freunek, PhD, is a research fellow at Rogers Cybersecure Catalyst, Toronto Metropolitan University, and the owner of Lighthouse Science Consulting and Technologies Inc.