The Resilience Approach to Cybersecurity Policy in the Internet of Things Ecosystem

July 31, 2019

Project Summary

The Internet of Things (IoT) — the expansion of internet capabilities to more and more devices — is expanding: in 2018, the quantity of IoT-capable devices surpassed two devices per person on the planet, totaling 17 billion unique devices. However, as the network of interconnected devices expands, so do concerns about cybersecurity.

This research explores how to address cybersecurity issues without stifling innovation in the growing network of interconnected devices. The author finds that the complexity and dynamism of the internet make it difficult for a uniform regulatory policy to effectively meet cybersecurity goals. The author instead suggests that a policy centered around resilience, one that preserves the adaptability of the IoT ecosystem, would allow for nimble and effective responses to security threats.

Problems Governing the Internet of Things Ecosystem
The author finds that the current approach to cybersecurity — top-down uniform regulation — does not effectively address security issues because it requires centralized government decision-makers to act as the sole source of governance in addressing insecurity. Because the IoT is continually changing, cybersecurity will always be a moving target, and top-down legislation will likely be ineffective.

The Resilience Approach
Instead of a static approach to cybersecurity, the author suggests the use of polycentric institutional arrangements: multiple, overlapping centers of decision-making. This research examines three different polycentric approaches — Peer-to-Peer governance, soft law, and emergent multi-organization networks — that have the potential to improve resilience and adaptability in the IoT ecosystem:

  • Peer-to-Peer governance allows groups to manage digital resources and engage in experimentation at the firm and institutional level, emphasizing open-source processes of developing new technologies.
  • Soft law is a set of informal rules, arrangements, and non-binding standards that allow institutional trial and error, which lead to less vulnerable systems.
  • Emergent multi-organization networks allow a variety of organizations to interact with formal state and federal agencies to tackle problems.

This research suggests that because of the complex and dynamic nature of the IoT, a top-down solution is not likely to be effective. Instead, polycentric approaches that support resilience without stifling innovation may be the most promising way to promote cybersecurity.

Project Authors