The Chairman of the Joint Chiefs of Staff emphasizes today the harm that cyberattacks can do and says that the US has no competitive advantage on the global “level playing field” of cybersecurity, and the President prepares to address cybersecurity in the State of the Union, including resources for training. Meanwhile, the Prime Minister of France declares “war” and political leaders around the world urge vigilance and collaborative action by citizens to detect and prevent terrorism.

In the US, we may be less docile and more divided than we were when “duck and cover” drives in the early 1950s used fear of bombs raining down from the skies to bring the Cold War home, but we are being bombarded with much more powerful messages. War is fought with videos designed to depict murders as terrifying as possible, and global ideological wars are fought (we are told) by a nation against an entertainment company, through a hack, and much more tragically and directly by a wing of a religion against a satirical newspaper. Whatever your beliefs, one message is clear: We need not look to the skies for hypothetical attacks against which we (individuals, companies) hold the weaker hand; real attacks are all around us, particularly on the Internet but also in the physical world around us.

As the Internet comes to control the physical world around us through the Internet of Things, the risks associated with such attacks will grown exponentially. Given the fundamental insecurity of the networked Internet of Things, collaborative public-private partnerships will be increasingly adopted as the means of securing the critical Internet infrastructure, rather than merely expecting all individual organizations to make all the decisions and bear all the costs of their own information security; such a chain filled with weak links endangers the security of the stronger links. We need national equivalents of the Securing Our e-City program (born in San Diego) that incorporate public, organizational and individual efforts.

The Federal Trade Commission is about to come out with its report on the Internet of Things. This report will have little to do with collaborative, public-private cybersecurity, because such collaboration is neither the FTC’s jurisdiction nor the way that it approaches its mission. The report will probably focus on the protection of personal information according to the principles that have dominated the privacy debate since 1973, the FIPs.which impose accountability only on the organization processing the information (in part because they date from a time when an organization’s ability to do so was a reasonable assumption). Those are important issues; many critical infrastructure security issues, however, have little to do with personal information. That may be one reason, whether currently known or not, why the Federal Communications Commission may need to regulate the ISPs at the center of of the public Internet of Things, together, potentially, with components of the private IoT.

No matter what, security for the Internet of Things needs to be adaptive cybersecurity, including both (1) public-private partnerships protecting critical infrastructure, and (2) awareness training based on sound choice architecture for the individual citizen. More fundamentally, security for the Internet of Things will test our ability to collaborate to protect the commons, which is why careful choice architecture needs to be the human side of securing the critical infrastructure.

Click here to view image.