The security of devices and the data they acquire, process, and transmit is often cited as a top concern in cyberspace. Cyberattacks can result in theft of data and sometimes even physical destruction. Some sources estimate losses from cyberattacks in general to be very large?in the hundreds of billions or even trillions of dollars. As the number of connected objects in the IoT grows, so will the potential risk of successful intrusions and increases in costs from those incidents.

Cybersecurity involves protecting information systems, their components and contents, and the networks that connect them from intrusions or attacks involving theft, disruption, damage, or other unauthorized or wrongful actions. IoT objects are potentially vulnerable targets for hackers. Economic and other factors may reduce the degree to which such objects are designed with adequate cybersecurity capabilities built in. IoT devices are small, are often built to be disposable, and may have limited capacity for software updates to address vulnerabilities that come to light after deployment.

The interconnectivity of IoT devices may also provide entry points through which hackers can access other parts of a network. For example, a hacker might gain access first to a building thermostat, and subsequently to security cameras or computers connected to the same network, permitting access to and exfiltration or modification of SURVEILLANCE footage or other information. Control of a set of smart objects could permit hackers to USE their computing power in malicious networks called botnets to perform various kinds of cyberattacks.

Access could also be used for destruction, such as by modifying the operation of INDUSTRIAL control systems, as with the Stuxnet malware that caused centrifuges to self-destruct at Iranian nuclear plants. Among other things, Stuxnet showed that smart objects can be hacked even if they are not connected to the Internet. The growth of smart weapons and other connected objects within DOD has led to growing concerns about their vulnerabilities to cyberattack and increasing attempts to prevent and mitigate such attacks, including improved design of IoT objects. Cybersecurity for the IoT may be complicated by factors such as the complexity of networks and the need to automate many functions that can affect security, such as authentication. Consequently, new approaches to security may be needed for the IoT.

IoT cybersecurity will also likely vary among economic sectors and subsectors, given their different characteristics and requirements. Each sector will have a role in developing cybersecurity best practices, unique to its needs. The federal government has a role in securing federal information systems, as well as assisting with security of nonfederal systems, especially critical INFRASTRUCTURE. Cybersecurity legislation considered in the 114th Congress, while not focusing specifically on the IoT, would address several issues that are potentially relevant to IoT applications, such as information sharing and notification of data BREACHES.

The security of devices and the data they acquire, process, and transmit is often cited as a top concern in cyberspace. Cyberattacks can result in theft of data and sometimes even physical destruction. Some sources estimate losses from cyberattacks in general to be very large?in the hundreds of billions or even trillions of dollars. As the number of connected objects in the IoT grows, so will the potential risk of successful intrusions and increases in costs from those incidents.

Cybersecurity involves protecting information systems, their components and contents, and the networks that connect them from intrusions or attacks involving theft, disruption, damage, or other unauthorized or wrongful actions. IoT objects are potentially vulnerable targets for hackers. Economic and other factors may reduce the degree to which such objects are designed with adequate cybersecurity capabilities built in. IoT devices are small, are often built to be disposable, and may have limited capacity for software updates to address vulnerabilities that come to light after deployment.

The interconnectivity of IoT devices may also provide entry points through which hackers can access other parts of a network. For example, a hacker might gain access first to a building thermostat, and subsequently to security cameras or computers connected to the same network, permitting access to and exfiltration or modification of surveillance footage or other information. Control of a set of smart objects could permit hackers to use their computing power in malicious networks called botnets to perform various kinds of cyberattacks.

Access could also be used for destruction, such as by modifying the operation of industrial control systems, as with the Stuxnet malware that caused centrifuges to self-destruct at Iranian nuclear plants. Among other things, Stuxnet showed that smart objects can be hacked even if they are not connected to the Internet. The growth of smart weapons and other connected objects within DOD has led to growing concerns about their vulnerabilities to cyberattack and increasing attempts to prevent and mitigate such attacks, including improved design of IoT objects. Cybersecurity for the IoT may be complicated by factors such as the complexity of networks and the need to automate many functions that can affect security, such as authentication. Consequently, new approaches to security may be needed for the IoT.

IoT cybersecurity will also likely vary among economic sectors and subsectors, given their different characteristics and requirements. Each sector will have a role in developing cybersecurity best practices, unique to its needs. The federal government has a role in securing federal information systems, as well as assisting with security of nonfederal systems, especially critical infrastructure. Cybersecurity legislation considered in the 114th Congress, while not focusing specifically on the IoT, would address several issues that are potentially relevant to IoT applications, such as information sharing and notification of data breaches.