key: cord-0200780-xfggtl4j
authors: Trautman, Lawrence J.; Hussein, Mohammed T.; Ngamassi, Louis; University, Mason J. Molesky Prairie View AM; University, The George Washington
title: Governance of the Internet of Things (IoT)
date: 2020-04-08
journal: nan
DOI: nan
sha: 73df1f3b15773392254d8245037db861eae848ed
doc_id: 200780
cord_uid: xfggtl4j

Today's increasing rate of technological change results from the rapid growth in computer processing speed, when combined with the cost decline of processing capacity, and is of historical import. The daily life of billions of individuals worldwide has been forever changed by technology in just the last few years. Costly data breaches continue at an alarming rate. The challenge facing humans as they attempt to govern the process of artificial intelligence, machine learning, and the impact of billions of sensory devices connected to the Internet is the subject of this Article. We proceed in nine sections. First, we define the Internet of Things (IoT), comment on the explosive growth in sensory devices connected to the Internet, provide examples of IoT devices, and speak to the promise of the IoT. Second, we discuss legal requirements for corporate governance as a foundation for considering the challenge of governing the IoT. Third, we look at potential IoT threats. Fourth, we discuss the Mirai botnet. Fifth, is a look at the IoT threat vector vulnerabilities during times of crisis. Sixth, we discuss the Manufactured Usage Description (MUD) methodology. Seventh, is a discussion of recent regulatory developments. Next, we look at a few recommendations. And finally, we conclude. We believe this Article contributes to our understanding of the widespread exposure to malware associated with IoT and adds to the nascent but emerging literature on governance of enterprise risk, a subject of vital societal importance.

We're entering an age of acceleration. The models underlying society at every level, which are largely based on a linear model of change, are going to have to be redefined. Because of the explosive power of exponential growth, the twenty-first century will be equivalent to 20,000 years of progress at today's rate of progress; organizations have to be able to redefine themselves at a faster and faster pace.

Director of Engineering at Google 1

Today's increasing rate of technological change results from the rapid growth in computer processing speed, when combined with the cost decline of processing capacity, and is of historical import. 2 Giaretta, Dragoni and Massacci report, "Smart homes are equipped with a growing number of IoT devices that capture more and more information about human beings lives. However, manufacturers paid little or no attention to security…" 3 Manufacturers are creating an incredible variety and volume of Internet of Things (IoT) devices, which incorporate at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface (e.g., Ethernet, WiFi, Bluetooth, Long-Term Evolution [LTE] , ZigBee), and are not conventional IT devices for which the identification and implementation of cybersecurity features is already well understood (e.g., smartphone, laptop). Many IoT devices provide computing functionality, data storage, and network connectivity for equipment that previously lacked these functions. In turn, these functions enable new efficiencies and technological capabilities for the equipment, such as remote access for monitoring, configuration, and troubleshooting. IoT can also add the ability to analyze data about the physical world and use the results to better inform decision making, alter the physical environment, and anticipate future events. 4 The daily life of billions of individuals worldwide has been forever changed by technology in just the last few years. 5 Costly data breaches continue at an alarming rate. 6

By 2020, "IoT devices are increasingly being implicated in cyber-attacks, raising community concern about the risks they pose to critical infrastructure, corporations, and 4 7 In an effort to mitigate "this risk, the IETF is pushing IoT vendors to develop formal specifications of the intended purpose of their IoT devices, in the form of a Manufacturer Usage Description (MUD), so that their network behavior in any operating environment can be locked down and verified rigorously." 8 The challenge facing humans as they attempt to govern the process of artificial intelligence, machine learning, and the impact of billions of sensory devices connected to the Internet is the subject of this Article.

We proceed in nine sections. First, we define the Internet of Things (IoT), comment on the explosive growth in sensory devices connected to the Internet, provide examples of IoT devices, and speak to the promise of the IoT. Second, we discuss legal requirements for corporate governance as a foundation for considering the challenge of governing the IoT. Third, we look at potential IoT threats. Fourth, we discuss the Mirai botnet. Fifth, is a look at IoT threat vector vulnerabilities during times of crisis. Sixth, we discuss the Manufactured Usage Description (MUD) methodology. Seventh, is a discussion of recent regulatory developments. Next, we look at a few recommendations.

And finally, we conclude. We believe this Article contributes to our understanding of the widespread exposure to malware associated with IoT and adds to the nascent but Bruce Sinclair writes that, "the Internet of Things (IoT) is just an evolution of the Internet. No more, no less. But the business ramifications of IoT are revolutionary and will usher in the Outcome Economy." 11 Mr. Sinclair further observes that "The Internet of Things killer app is outcomes. It's outcomes that customers usually want. They don't even care about products: they care about what products do for them…. Customers don't want to own cars, they want to get from one place to another, fast and safe." 12 Trautman and Ormerod write that "The proliferation of novel consumer devices and increased Internet-dependent business and government data systems introduces vulnerabilities of unprecedented magnitude." 13 These "Digital vulnerabilities touch upon a number of different areas of the law: privacy, 14 risk management, 15 use the results to better inform decision making, alter the physical environment, and anticipate future events. While the full scope of IoT is not precisely defined, it is clearly vast. Every sector has its own types of IoT devices, such as specialized hospital equipment in the healthcare sector and smart road technologies in the transportation sector, and there is a large number of enterprise IoT devices that every sector can use. Versions of nearly every consumer electronics device, many of which are also present in organizations' facilities, have become connected IoT devices-kitchen appliances, thermostats, home security cameras, door locks, light bulbs, and TVs. 27

During 2019, Giaretta, Dragoni and Massacci provide the following summary of the IoT environment:

According to Gartner Hype Cycle for Emerging Technologies, Internet of Things (IoT) surpassed the so-called peak of disillusion, headed to an established role within society. But all the problems are far from being solved and, the more pervasive the IoT becomes, the harder it is to manage. In particular, IoT security is one of the biggest cybersecurity challenges, and one of its most embarrassing failures. Traditional cybersecurity solutions have proven to be ineffective for IoT due to a number of technical and operational challenges. First, IoT devices are highly heterogeneous, with huge differences across tiers, languages, OSes, and networks. Also, the IoT lacks a common security framework, and standards are still not settled. Often times, security is not a manufacturers' (nor IT adminis') core competency, and may not be even considered part of the IoT product development process. 28 A recent Google search identified consumer products such as a front door IoT camera monitor having a sales price point of US$34.95; and a baby monitor offering "Pet The promise of the IoT/IoE is that devices can now connect together (and with people) to enable new actions -to do something they couldn't before; like to warn you when your resting heart rate is too high, or learn how cool 29 According to Bruce Sinclair, system integration engineers "look at IoT technology as a networking stack, which is, in a sense simply a protocol map." 33 (See Exhibit 2). Mr. Sinclair then hastens to add, "Mapping protocols from where the sensor data comes in, to the application is the absolute wrong way to look at the tech ̶ at least for business. This is plumbing and not where the value originates." 34 Exhibit 2 Network Engineer's View of IoT 35   32   Kris Alexander, CTO, Akamai Technologies; https://junipernetworks.cioreview.com/cxoinsight/the-promise-and-challenges-of-an-internet-of-things-iotworld-nid-4769-cid-73.html 33 See Sinclair, supra note 11 at 5. 34 Writing from a business value perspective, Bruce Sinclair observes, "but plumbing is a means to an end; it is the way to get data from one place to another." 36 While Sinclair writes, "I don't look at IoT tech as a networking stack because it doesn't properly isolate and highlight where value is created; 37 mention of the networking stack lends value to our discussion here. Many organizations are not necessarily aware they are using a large number of IoT devices. It is important that organizations understand their use of IoT because many IoT devices affect cybersecurity and privacy risks differently than conventional IT devices do. Once organizations are aware of their existing IoT usage and possible future usage, they need to understand how the characteristics of IoT affect managing cybersecurity and privacy risks, especially in terms of risk response-accepting, avoiding, mitigating, sharing, or transferring risk. 40 We now present a very brief discussion of the corporate duties of loyalty and care.

Under Delaware law, the duty of loyalty requires "that there shall be no conflict between duty and self-interest." 41 The core concept of the fiduciary "duty of loyalty" has been described as:

[t]he requirement that a director favor the corporation's interests over her own whenever those interests conflict. As with the duty of care, there is a duty of candor aspect to the duty of loyalty. Thus, whenever a director confronts a situation that involves a conflict between her personal interests and those of the corporation, courts will carefully scrutinize not only whether she has unfairly favored her personal interest in that transaction, but also whether she has been completely candid with the corporation and its shareholders. 42 processes invoked to ensure fairness to the corporation and its stockholders that will determine the propriety of the director's conduct…" 43 Generally, except in cases where a director has an undisclosed financial interest in the outcome of a major corporate purchase or contract decision, the duty of loyalty does not seem to require additional focus. Supr. 1985) . The Delaware Supreme Court found that the experienced and sophisticated directors of Trans Union Corporation were not entitled to the protection of the business judgment rule and had breached their fiduciary duty to their shareholders "(1) by their failure to inform themselves of all information reasonably available to them and relevant to their decision to recommend the Pritzker merger; and (2) by their failure to disclose all material information such as a reasonable shareholder would consider important in deciding whether to approve the Pritzker offer." Id. at 888; see also See Peter V. Letsou, Cases and Materials on Corporate Mergers and Acquisitions n21 at 643 (2006) (observing "Trans Union's five 'inside' directors had backgrounds in law and accounting, 116 years of collective employment by the company and 68 years of combined experience on its Board. Trans Union's five 'outside' directors included four chief executives of major corporations and an economist who was a former dean of a major school of business and chancellor of a university. The 'outside' directors had 78 years of combined experience as chief executive officers of major corporations and 50 years of cumulative experience of Trans Union. Thus, defendants argue that the Board was eminently qualified to reach an informed judgment on the proposed 'sale' of Trans Union notwithstanding their lack of any advance notice on the proposal, the shortness of their deliberation, and their determination not to consult with their investment banker or to obtain a fairness opinion."). Page 17

All rights reserved Mohammed T. Hussein, Louis Ngamassi & Mason J. Molesky individual directors liable for breaching their duty of care." 46 Experienced and sophisticated directors in that case were not entitled to the protection of the business judgment rule in some cases because: the duty of care specifies the manner in which directors must discharge their legal responsibilities… includ[ing] electing, evaluating, and compensating corporate officers; reviewing and approving corporate strategy, budgets, and capital expenditures; monitoring internal financial information systems and financial reporting obligations, and complying with legal requirements; making distributions to shareholders; approving transactions not in the ordinary course of business; appointing members to committees and discharging committee assignments, including the important audit, compensation and nominating committees; and initiating changes to the certificate of incorporation and bylaws. 47

The broad Duty of Care includes a duty to provide data security. Professors

Trautman and Ormerod write:

The duty of care applies across directors' and officers myriad responsibilities, including handling the corporation's digital data. There is, therefore, an emerging specific application of the duty of care as related to information technology: the duty to secure data. The applicable standard of care requires directors "to provide 'reasonable' or 'appropriate' There is not, however, a single source-such as a comprehensive federal statute or regulation-that imposes a duty to provide data security. Rather, corporate legal obligations to implement data security systems are "set forth in an ever-expanding patchwork" of state, federal, and international statutes; regulations; enforcement actions; and common law duties, including "contractual commitments, and other expressed and implied obligations to provide 'reasonable' or 'appropriate' security for corporate data. The widespread incorporation of "smart" devices into everyday objects is changing how people and machines interact with each other and the world around them, often improving efficiency, convenience, and quality of life. Their deployment has also introduced vulnerabilities into both the infrastructure that they support and on which they rely, as well as the processes they guide. Cyber actors have already used IoT devices for distributed denial-of-service (DDoS) attacks, and we assess they will continue. In the future, state and non-state actors will likely use IoT devices to support intelligence operations or domestic security or to access or attack targeted computer networks. 60 Another way to think about IoT security vulnerabilities is to consider how you take the time to see that your home or apartment, containing your valuable possessions, is securely locked when you leave it unattended. Here, just as with your valuable personal data assets, the use of poorly secured IoT devices is roughly equivalent to locking the 

By now, every reader should be aware of the continued threat posed by inadequate data security. 63 A comprehensive discussion about the history, nature, and current threat profile of data breaches is beyond the scope of this single Article. However, we have chosen to mention and describe briefly the following data breaches: Target 

Aadhaar database, Jan.3, 2018. 1,190 million names, addresses, email addresses, dates of birth, phone numbers, fax numbers, genders, IP addresses, and photographs of Indian citizens… January 3, 2018. 6. VERIFICATIONS.IO (Estonia). 982 million names addresses, email addresses, dates of birth, phone numbers, fax numbers, genders, IP addresses, personal mortgage amounts, and FTP server credentials, exposed on the Internet due to a misconfigured database. March 7, 2019.

Approximately 885 million real estate closing transaction records containing names, Social Security numbers, phone numbers, email and physical addresses, driver's license images, banking details, and mortgage lender names and loan numbers exposed on the Internet due to IDOR flow. 8. UNKNOWN (Netherlands). Breach of 711 million records: email addresses; passwords; credentials exposed on the Internet due to misconfigured database, January 3, 2017. 9. CULTURA COLECTIVA (Mexico). 540 Million Facebook user IDs, account names, comments, and likes exposed on the Internet due to a misconfigured database. a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is paid. Ransomware is typically installed when a user clicks on a malicious link, opens a file in an e-mail that installs the malware, or through drive-by downloads (which does not require user-installation) from a compromised Web site. 87

The FBI further states that, "hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses ̶ these are just some of the entities impacted by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them." 88 The U.S.

Integration Center (NCCIC) warns, "Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including: temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization's reputation." 89 Consider that, "the inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization's reputation." 90 The FBI warns, "in a ransomware attack, victims ̶ upon seeing an e-mail addressed to them ̶ will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code." 91 Alternatively, "the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software." 92 In addition:

Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been 88 Akamai observes that use of IoT devices and other capabilities usually not found in botnets make Mirai "truly exceptional… specifically Generic Routing Encapsulation (GRE) based attacks, varying levels of attack traffic customization, and telnet scanning.

In addition, it generates its attacks directly…. Due to the public release of the source code… we're likely to see new, more-capable variants of Mirai in the near future." 105 In addition,

Mirai is a botnet that would not exist if more networks practiced basic hygiene, such as blocking insecure protocols by default. This is not newwe've seen similar network hygiene issues as the source of infection in the Brobot attacks of 2011 and 2012. The botnet spreads like a worm, using telnet and more than 60 default username and password combinations to scan the Internet for additional systems to infect. The majority of these systems appear to be Digital Video Recorders (DVRs), ip-enabled surveillance cameras, and consumer routers. Federal Trade Commission." 108 As a result of the rapid growth in the IoT devices, the Report notes that distributed denial of service "DDoS attacks have grown in size to more than one terabit per second, far outstripping expected size and excess capacity. As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved." 109 These automated and distributed attacks (e.g., botnets), "are used for a variety of malicious activities… that overwhelm networked resources, sending massive quantities of spam, disseminating keylogger and other malware, ransomware attacks distributed by botnets that hold systems and data hostage." 110 The Report further states, "Traditional DDoS mitigation techniques, such as network providers building in excess capacity to absorb the effects of botnets, are designed to protect against botnets of an anticipated size… [but] were not designed to remedy other classes of malicious activities facilitated by botnets, such as ransomware or computational propaganda." 111 And:

The DDoS attacks launched from the Mirai botnet in the fall of 2016, for example, reached a level of sustained traffic that overwhelmed many common DDoS mitigation tools and services, and even disrupted a Domain Name System (DNS) service that was a commonly used component in many DDoS mitigation strategies. This attack also highlighted the growing insecurities in-and threats from-consumergrade IoT devices. As a new technology, IoT devices are often built and deployed without important security features and practices in place. While the original Mirai variant was relatively simple, exploiting weak device passwords, more sophisticated botnets have followed; for example, the Reaper botnet uses known code vulnerabilities to exploit a long list of devices, and one of the largest DDoS attacks seen to date recently exploited a newly discovered vulnerability in the relatively obscure MemCacheD software. These examples clearly demonstrate the risks All 130 NIST is the standards bodyparticularly for cybersecurity standardsfor the US Government. 131 The document describes MUD and its purpose:

The goal of the Internet Engineering Task Force's manufacturer usage description (MUD) architecture is for Internet of Things (IoT) devices to behave as intended by the manufacturers of the devices. This is done by providing a standard way for manufacturers to identify each device's type and to indicate the network communications that it requires to perform its intended function. When MUD is used, the network will automatically permit the IoT device to perform as intended, and the network will prohibit all other device behaviors. 132 MUD-capable IoT devices for use in homes and small businesses make it more difficult for malicious actors to exploit these IoT devices to mount DDoS attacks across the Internet. 133 NIST explains that "MUD provides a standard method for access control information to be available to network control devices." 134 In just about a decade blockchain technology has grown to be viewed with substantial promise for its potential to provide enhanced software security. 140 The emerging Internet of Things (IoT) is facing significant scalability and security challenges. On the one hand, IoT devices are 'weak' and need external assistance. Edge computing provides a promising direction addressing the deficiency of centralized cloud computing in scaling massive number of devices. On the other hand, IoT devices are also relatively 'vulnerable' facing malicious hackers due to resource constraints. The emerging blockchain and smart contracts technologies bring a series of new security features for IoT and edge computing. 144 In an attempt to provide solutions to these issues, an edge-IoT framework named 'EdgeChain' is designed and prototyped by Jianli Pan et al., "based on blockchain and smart contracts. The core idea is to integrate a permissioned blockchain and the internal currency or 'coin' system to link the edge cloud resource pool with each IoT device' account and resource usage, and hence behavior of the IoT devices." 145 Consider:

EdgeChain uses a credit-based resource management system to control how much resource IoT devices can obtain from edge servers, based on All rights reserved Mohammed T. Hussein, Louis Ngamassi & Mason J. Molesky pre-defined rules on priority, application types and past behaviors. Smart contracts are used to enforce the rules and policies to regulate the IoT device behavior in a non-deniable and automated manner. All the IoT activities and transactions are recorded into blockchain for secure data logging and auditing. [Jianli Pan et al.] implement an EdgeChain prototype and conduct extensive experiments to evaluate the ideas. The results show that while gaining the security benefits of blockchain and smart contracts, the cost of integrating them into EdgeChain is within a reasonable and acceptable range. 

Any engineering professor will tell you that human behavior and attitudes will play a determinative role in the success of any product design. NIST advises:

Addressing the challenges of IoT cybersecurity necessitates educating IoT device customers on the differences in cybersecurity risks and risk mitigation for IoT versus conventional IT, as NIST has documented in Internal Report (IR) 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. The challenges also necessitate educating IoT device manufacturers on how to identify the cybersecurity features customers need IoT devices to have. This includes improving communications between manufacturers and customers regarding device cybersecurity features and related expectations. 151 VIII.

RECENT DEVELOPMENTS

The NIST continues to provide valuable research efforts, publications, and interface between governmental resources and industry. Professor Václav Janecek writes about the treasure trove of collected and created personal data from IoT devices, "whose management poses serious ethical and legal questions. Ownership of personal data underpins the issues revolving around data management and control, such as privacy, trust, and security, and it has also important implications for the future of the 'digital' 

abstract=2982629; citing Trey Herr & Allan A. Friedman, Redefining Cybersecurity, American Foreign Policy Council -Defense Technology Program Brief

Identity Theft, Privacy, and the Architecture of Vulnerability, 54 HASTINGS L

See Trautman & Ormerod, supra note 13, citing Corey Ciocchetti, The Privacy Matrix

Big Data and the Future for Privacy

Privacy Costs and Personal Data Protection: Economic and Legal Perspectives

The FTC and the New Common Law of Privacy, 114 COLUMBIA L

A Model Regime of Privacy Protection (Version 2.0), GWU Law School Public Law Research Paper No

The Right to be Forgotten, 64 HASTINGS L

Mitigating Moral Hazard in Cyber-Risk Insurance, 3

Data Breach, Privacy, and Cyber Insurance

2 billion records: customer names, addresses inappropriately made accessible in public directory

1.3 billion records: names; addresses; IP addresses; email addresses; undisclosed number of financial documents; chat logs and backup; exposed by faulty rsync backup

Reports 1.2 billion records stolen by hackers (emails, addresses, and passwords) and offered for sale on the dark web

Footnote to follow when table is updated in

MidYear QuickView Data Breach Report

Fast Packet Delivery Techniques for Urgent Packets in Emergency Applications of Internet of Things

The Internet of Things Needs Standardization ̶ Here's Why, govtech.com

Manufacturer Usage Description Specification

Parisa Grayeli & Susan Symington, Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD), NIST Special Pub. 1800-15A (Prelim. Draft

Federal Information Security Modernization Act of

Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD), NIST Special Pub

See Manufacturer Usage Description Specification, supra note 129

Parisa Grayeli & Susan Symington, Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating

A Primer for Blockchain

Bitcoin Versus Regulated Payment Systems: What Gives? 38 CARDOZO L. REV. 1041

Virtual Currencies: Bitcoin & What Now After Liberty Reserve, Silk Road, and Mt. Gox?

Is Disruptive Blockchain Technology the Future of Financial Services?, 69 CONSUMER FIN

EdgeChain: An Edge-IoT Framework and Prototype Based on Blockchain and Smart Contracts

infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides. 93 Malicious and costly ransomware attacks continue daily, including and resulting in substantial disruption to the citizens of Atlanta, 94 Baltimore, 95 and many others. 96 New ransomware exploits are found constantly. For example, on January 22, 2020, security expert Ravi Gidwani reports, "a nasty and one-of-its-kind ransomware… one that uses Note.js framework, which enables it to infect Windows based OS." 97 This is significant because:Node.js is an open-source, cross-platform, JavaScript run-time environment that executes JavaScript code outside of a browser. It is built on the V8 JavaScript engine… Google's open source highperformance JavaScript and WebAssembly engine, written in C++. It is used in Chrome and in Node.js, among others. It implements ECMAScript and WebAssembly, and runs on Windows 7 or later, macOS 10.12+, and Linux systems that use x64, IA-32, ARM, or MIPS processors. V8 can run standalone, or can be embedded into any C++ application. Interestingly, users can easily get infected by this Nodera ransomware while browsing online, either by clicking on a malicious HTA file or when served as a malvertisement. 98 Software engineer Tim Trautman believes this may be significant because, as a JavaScript framework, "Node has a very large community around it. Ransomware 93 IoT systems rely on the interoperability of the different objects that are interconnected. IoT objects interact smartly through the Internet with other devices. In time of crisis, some of these devices may likely got destroyed which may significantly hamper the effective functioning of the IoT system. Therefore, the more objects get connected through IoT system, the greater becomes the possibility of mayhem in times of crises. Moreover, IoT services such as process automation, device management, decision making, are usually hosted on cloud to allow users to access IoT devices anytime, anywhere. If the Internet infrastructure is destroyed during a disaster, IoT services will not be available to the users. Technological advances such as "Content-Centric 123 

The MUD intends to achieve several goals including:• Substantially reduce the threat surface on a device to those communications intended by the manufacturer; • Provide a means to scale network policies to the ever-increasing number of types of devices in the network; • Provide a means to address at least some vulnerabilities in a way that is faster than the time it might take to update systems. This will be particularly true for systems that are no longer supported; • Keep the cost of implementation of such a system to the bare minimum; and • Provide a means of extensibility for manufacturers to express other device capabilities or requirements. 138These goals make the use of this framework practical while accomplishing a standardized level of security and use. However, the MUD design is not intended to:• address network authorization of general purpose computers, as their manufacturers cannot envision a specific communication pattern to describe; • In addition, even those devices that have a single or small number of uses might have very broad communication patterns. MUD on its own is not for them either; • Although MUD can provide network administrators with some additional protection when device vulnerabilities exist, it will never replace the need for manufacturers to patch vulnerabilities; • Finally, no matter what the manufacturer specifies in a MUD file, these are not directives, but suggestions. How they are instantiated locally will depend on many factors and will be ultimately up to the local network administrator, who must decide what is appropriate in a given circumstances. 139 These goals and actions aim to present a portfolio of mutually supportive actions that, if implemented, would dramatically improve the resilience of the ecosystem. The recommended actions include ongoing activities that should be continued or expanded, as well as new initiatives. No single investment or activity can mitigate all threats, but organized discussions and stakeholder feedback will allow us to further evaluate and prioritize these activities based on their expected return on investment and ability to measurably impact ecosystem resilience. We look to stakeholders across the ecosystem to work with government to implement the proposed activities, realize opportunities for support and leadership, and remove impediments to implementation. 161 Accordingly, for consideration by our readers, we include the Report's list of goals and actions: Action 1.1 Using industry-led inclusive processes, establish internationally applicable IoT capability baselines supporting lifecycle security for home and industrial applications founded on voluntary, industry-driven international standards. Action 1.2 The federal government should leverage industry-developed capability baselines, where appropriate, in establishing capability baselines for IoT devices in U.S. government environments to meet federal security requirements, promote adoption of industry-led baselines, and accelerate international standardization. Action 1.3 Software development tools and processes to significantly reduce the incidence of security vulnerabilities in commercial-off-theshelf software must be more widely adopted by industry. The federal government should collaborate with industry to encourage further enhancement and application of these practices and to improve marketplace adoption and accountability. Action 1.4 Industry should expedite the development and deployment of innovative technologies for prevention and mitigation of distributed threats. Accordingly, where relevant, government should prioritize the application of research and development funds and technology transition efforts to support advancements in DDoS prevention and mitigation, as well as foundational technologies to prevent botnet creation. Where appropriate, civil society should amplify those efforts. Action 1.5 Government, industry, and civil society should collaborate to ensure that existing best practices, frameworks, and guidelines relevant to IoT, as well as procedures to ensure transparency, are more widely adopted across the digital ecosystem. Emerging risks in the IoT space must be addressed in an open and inclusive fashion. Goal 2: Promote innovation in the infrastructure for dynamic adaptation to evolving threats. Action 2.1 Internet service providers and their peering partners76 should expand current information sharing to achieve more timely and effective sharing of actionable threat information both domestically and globally. Action 2.2 Stakeholders and subject matter experts, in consultation with NIST, should lead the development of a CSF Profile for Enterprise DDoS Prevention and Mitigation. Action 2.3 The federal government should lead by example and demonstrate practicality of technologies, creating market incentives for early adopters. Action 2.4 Industry, government, and civil society should collaborate with the full range of stakeholders to continue to enhance and standardize information-sharing protocols. Action 2.5 The federal government should work with U.S. and global infrastructure providers to expand best practices on network traffic management across the ecosystem. All rights reserved Mohammed T. Hussein, Louis Ngamassi & Mason J. Molesky Goal 3: Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks. Action 3.1 The networking industry should expand current product development and standardization efforts for effective and secure traffic management in home and enterprise environments. Action 3.2 Home IT and IoT products should be easy to understand and simple to use securely. Action 3.3 Enterprises should migrate to network architectures that facilitate detection, disruption, and mitigation of automated, distributed threats. They should also consider how their own networks put others at risk. Action 3.4 The federal government should investigate how wider IPv6 deployment can alter the economics of both attack and defense. Goal 4: Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world. Action 4.1 ISPs and large enterprises should increase information sharing with government agencies and with one another to provide more timely and actionable information regarding automated, distributed threats. Action 4.2 The federal government should promote international adoption of best practices and relevant tools through bilateral and multilateral international engagement. Action 4.3 Sector-specific regulatory agencies, where relevant, should work with industry to ensure nondeceptive marketing and foster appropriate sector-specific security considerations. Action 4.4 The community should identify leverage points and take concrete steps to disrupt attacker tools and incentives, including the active sharing and use of reputation data. Action 4.5 The cybersecurity community should continue to engage with the operational technology community to promote awareness and accelerate incorporation of cybersecurity technologies. Goal 5: Increase awareness and education across the ecosystem. Action 5.1 The private sector should establish and administer voluntary informational tools for home IoT devices, supported by a scalable and cost-effective assessment process, that consumers can trust and intuitively understand. Action 5.2 The private sector should establish voluntary labeling schemes for industrial IoT applications, supported by a scalable and cost-effective assessment process, to offer sufficient assurance for critical infrastructure applications of IoT. Action 5.3 Government should encourage the academic and training sectors to fully integrate secure coding practices into computer science and related programs. All rights reserved Mohammed T. Hussein, Louis Ngamassi & Mason J. Molesky Action 5. 4 The academic sector, in collaboration with the National Initiative for Cybersecurity Education, should establish cybersecurity as a fundamental requirement across all engineering disciplines. Action 5.5 The federal government should establish a public awareness campaign to support recognition and adoption of the home IoT device security baseline and branding. 162

Costly data breaches continue at an alarming rate. The challenge facing humans as they attempt to govern the process of artificial intelligence, machine learning, and the impact of billions of sensory devices connected to the Internet is a challenge to all involved. We believe this Article contributes to our understanding of the widespread exposure to malware associated with the Internet of Things (IoT) and adds to the nascent but emerging literature on governance of enterprise risk, a subject of vital societal importance.