Disrupting Business Operations

Over the last two years, the Harvard Business Review published a nice set of articles examining how the IoT changes traditional business operations. Looking at IoT and competition in 2014, Porter and Heppelmann stressed the advantage of the IoT technology stack: product linking to connectivity linking to the product cloud. Backend analytics on this aggregate data provides competitive advantages. This stack changes what businesses do [19]:

This opens the door to new competitors, such as the “productless” OnFarm, which is successfully competing with traditional agricultural equipment makers to provide services to farmers through collecting data on multiple types of farm equipment to help growers make better decisions, avoiding the need to be an equipment manufacturer at all….

The basis of competition thus shifts from the functionality of a discrete product to the performance of the broader product system, in which the firm is just one actor

GE CEO Jeff Immelt is quoted as observing that “every industrial company will become a software company.”

In a companion piece on “digital ubiquity,” Iansiti and Lakhani emphasize the business potential of remote sensors and backend analytics in the industrial internet [12]:

GE was at increasing risk of losing many of its top customers to nontraditional competitors…[who] aimed to shift the customer value proposition away from acquiring reliable industrial equipment to deriving new efficiencies and other benefits through advanced analytics and algorithms based on the data generated by that equipment.

GE responded by using the industrial internet to change its business model:

Now revenue from its jet engines, for example, is tied not to a simple sales transaction but to performance improvements: less downtime and more miles flown over the course of a year.

Iansiti and Lakhani also note the scalability of digital objects: “exact replication infinite times at zero marginal cost.”

In a follow-up piece in 2015, Porter and Heppelmann further emphasized the business advantages of the industrial internet [20]:

To better understand the rich data generated by smart, connected products, companies are also beginning to deploy a tool called a digital twin…. Originally conceived by the Defense Advanced Research Projects Agency (DARPA), a digital twin is a 3-D virtual-reality replica of a physical product. As data streams in, the twin evolves to reflect how the physical product has been altered and used and the environmental conditions to which it has been exposed.

Porter and Heppelmann also note how the easy malleability of software (compared to hardware) changes the design and development process from slow, discrete cycles to something more continuous:

In conventional products, variability is costly because it requires variation in physical parts. But the software in smart, connected products makes variability far cheaper. For example, John Deere used to manufacture multiple versions of engines, each providing a different level of horsepower. It now can alter the horsepower of a standard physical engine using software alone.

Porter and Heppelmann describe this as evergreen design. (Of course, this approach gives rise to a risk: aftermarket hacking that lets customers get more power without paying the manufacturer for it.)

Similar points from a different perspective can be found in IoT promotional information from vendors such as IBM and Intel. In fact, Intel has a case study on the use of the IoT to market craft beer—something that made a nice A/V supplement for an undergraduate class (see Figure 7-1).

Figure 7-1. Intel’s SteadyServ iKeg case study demonstrates the transformative power of IoT on business, in a domain readily appreciated by college students. (Image reproduced with the permission of Intel Corporation, which owns the copyright.)

Disrupting the Profit Paradigm

“Paradigm disruption” is a term that’s sure to become overused when applied to the IoT. Nonetheless, quantum changes in how things get done can change how money flows for those services—and, as a consequence, change the nature of industries.

As a case in point, one need only look at what’s happened to the recorded music industry in the US in the last 30 years. In 1986, music was sold primarily packaged in the vinyl LP format. The newer CD format was beginning to catch on; older formats such as the cassette tape and the eight-track tape still existed, but were fading. Music reached the ears of prospective purchasers via radio stations broadcast over actual radio waves; stations logged what music they played, and this log data fed back to royalty payments to musicians (or at least songwriters).

The emergence of the IoC changed all this. Vinyl and tape vanished (although vinyl is making a small comeback in hipster circles); CDs mostly vanished too. (The “used record” stores I would regularly visit when visiting college towns became “used CD” stores, and then disappeared altogether.) To a great extent, radio waves have been replaced by internet streaming—and often not from a traditional radio station but from a program running on a Pandora server. Lamenting these changes, Jonathan Taplin (in the New York Times) offered the fascinating observation [24]:

In 2015, vinyl record sales generated more income for music creators than the billions of music streams on YouTube and its competitors.

In this one area alone, technology disrupted. What further industry disruption will the IoT bring?

“Google Moments”?

On the other hand, as the purpose of insurance is to reduce the maximum costs any one individual faces from a bad but statistically unlikely event by spreading the costs across a larger population, the IoT may in fact create opportunity.

Recall from Chapter 1 how the IoT triggers two general rants from security analysts:

• The IoT increases the attack surface (making attacks more likely).

• The IoT amplifies the physical consequences of an attack.

Taken together, these tenets suggest a potential for the IoT to create new bad events requiring insurance protection. Smart, connected vehicles may be exposed to malicious remote manipulation; we may have fewer crashes from driver error but more from electronic vandalism. Similarly, smart, connected homes may make it easier for a burglar to determine which houses have valuable appliances and when these houses are likely empty, or for a vandal to maliciously manipulate heating and cooling and ovens—hence, the IoT might bring more burglaries and vandal-induced fires.

For these opportunities to pay off, however, insurers need to get a handle on the statistics to ensure the events are indeed sufficiently unlikely across a pool of customers. Security researchers have long mourned the dearth of effective security metrics—how do we measure the actual risk from the unknown zero-days in the infrastructure? Insurance—even for cyberattacks in the IoC, let alone in the emerging IoT—may thus help with this problem. Another potential benefit might be the emergence of standards (as our society sees now with things such as fire safety codes governing construction) to reduce the aggregate risk, put in place by entities whose profit motivation ensures these standards work.

This may already be happening. In May 2015 The Security Ledger reported [18] that Columbia Casualty Insurance had claimed in court that it could deny coverage for a privacy spill at Cottage Health Systems because the insured:

Failed to follow “minimum required practices,” as spelled out in the policy. Among other things, Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the Internet.”

In History

When security researchers (such as I) discuss the risks of the coming IoT, listeners often hear it as endless litany of things that can go wrong and say, “Since we can’t solve these problems, should we just give up on building this smart future?” The security researcher then usually gives a more hopeful response, along the lines of how identifying problem areas can focus attention on solutions or mitigation strategies so that we can have the smart future without the smart risks.

But there’s another possibility as well.

Suppose a group of researchers proposed a new technology, X, that promised to fundamentally change and improve (mostly) society in all sort of exciting ways. However, X has some downsides:

• In the US alone, its adoption would directly kill over 30,000 people each year—and indirectly hurt far more.

• In the US alone, its adoption would near-permanently consume landmass whose area exceeds the state of Georgia.

• Worldwide, its adoption would fundamentally alter the climate of the Earth (in a bad way) and create destabilizing geopolitics, leading to wars, despotism, and terrorism.

One would imagine that, given these downsides, society would either reject adoption of X as simply not worth the cost, or perhaps pursue a more prudent path of delaying deployment until we had used our collective ingenuity to eliminate these hazards. The idea that society would happily accept X with these costs—to the point where life without X would be unimaginable—is unthinkable.

And yet, this is what society has chosen with the automobile: we accepted both the transformative new technology and all of its costs. Perhaps this will be the fate of the IoT as well.

We (as a society) know how to build safer cars, but we (as a society) choose not to. With cars—or with any other potentially dangerous products, such as lead paint or pesticides or lawnmowers, or with difficult social choices such as the high cost of implementing positive train control in the US even though it would have eliminated deadly derailments—individual consumers choose not to pay the higher cost for statistical safety; manufacturers choose a different point on the profit-aggregate safety curve. (Of course, more subtleties may lurk here; for example, the existence of positive control might make some engineers even more likely to engage in risky behavior.)

In the IoT

Will society make the same “irrational” choices in the IoT?

The IoT has already seen choices between profit and cost. In 2014, the Harvard Business Review noted [19]:

In residential water heaters, A.O. Smith has developed capabilities for fault monitoring and notification, but water heaters are so long-lived and reliable that few households are willing to pay enough for these features to justify their current cost.

In May 2015, Fusion discussed a recent video posted from Central America [11]:

A group of people stand in a garage watching and filming a grey Volvo XC60 that backs up, stops, and then accelerates toward the group. It smashes into two people, and causes the person filming the video with his phone to drop it and run. It is terrifying.

Apparently, what was going on is that some smart Volvos have a feature called pedestrian detection. The people in the video were apparently trying to demonstrate that. However:

It appears that the people who bought this Volvo did not pay for the “Pedestrian detection functionality,” which is a feature that costs more money.

The opening of this chapter discussed the amorphous nature of smart products: instead of having N different variations of a product, a vendor can produce one generic one that becomes one of N depending on which software is installed—or perhaps even on which software, already present, is enabled. In the case of the scary Volvo, it’s possible that the car in question actually knew how to avoid the pedestrians, but a flag was turned off because the owner hadn’t paid. Someone—the vendor, or the owner, or both—decided that the added benefit wasn’t worth the additional price or lost revenue, even though the marginal cost may very well have been zero. (Indeed, a decade ago, a scientist who does digital forensics for law enforcement told me of an alleged drug dealer who had used strong encryption on his computer but neglected to pay the shareware license, so it was still running in crippled, low-security mode when seized.)

Other differentiating aspects of the IoT may also lead to similar choices. The ability for an IoT device to grant remote access to physical reality (thermostats? heart devices?) introduces choices between convenience and risk. The ability of highly instrumented reality to generate massive amounts of data could enable backend analytics to detect all sorts of potentially useful things, including high-accuracy predictions of bad things about to happen. Pointing this microscope at some targets means not pointing it at others. As with the possibility of identifying the 9/11 actors before the attack, it will be awkward if we have to look back and say we had the pieces to predict the bridge collapse or the imminent heart attack but did not, because vendors or consumers, probably motivated by money somehow, made different choices about services.

In the Human Mind

As Chapter 6 discussed, psychology has identified (and can experimentally demonstrate) all sorts of cognitive bias scenarios where human minds confidently make choices that would appear to be irrational based on data. Humans believe driving is safer than flying, insist on expensive but not highly useful healthcare for some situations (e.g., patients at end of life) but in other scenarios decline cheaper choices with higher utility (e.g., vaccination), or worry about attacks in public restrooms from transsexuals but not from congressmen. Psychologists have also looked at ways (e.g., [14, 25]) to reframe these questions so human minds make decisions that are “better,” in the sense that they do not look so irrational in hindsight or from third-party judgment.

The business of the IoT opens up new vistas for choices and mixes lots of apples and oranges. It might be worth exploring the implications for human decision making:

• On an individual level (what would a human choose?)

• On a business level (what trade-offs will be chosen among revenues and costs?)

• On a social level (when and how should nations and international coalitions step in and regulate to shape what the market forces do?)

In History

To see this pattern in the current IoC, one need only look at antitrust arguments against Google. For example, Nathan Newman in the Huffington Post writes [16]:

The pleasant experience of using Google products is little different (in any economic analysis) from the pleasant massage administered to Kobe beef cattle in Japan; each is just a tool to increase the quality of the product delivered up to the real customers…Here’s the key place to start in understanding proper technology policy for Google: there is no market for search engines; there is no market for online geolocation mapping software; there is no market for online video. Google, by making these products free, has destroyed those markets in favor of an alternative economic model of selling individual attention and precise information about those users to advertisers. You are the product, not the customer.

Massive data can enable more accurate identification: potential customers for advertisers and potential employees for employers. This effectiveness can be creepy—witness the father who discovered his daughter was pregnant via Target coupons mailed to her [5], or the services of the British startup Score Assured [4]:

The company wants to, in the words of co-founder Steve Thornhill, “take a deep dive into private social media profiles” and sell what it finds there to everyone from prospective dates to employers and landlords.

As a scientist and also a former low-level competitive cyclist, I’ve read about the science and technology behind doping, and this idea of using big data analytics to focus narrowly on individuals reminds me of doping: it’s creepy, but it likely works.

In the IoT

Businesses are already seeing the advantage of harvesting the personal data the IoT will collect. Earlier in this chapter, we saw how State Farm was contemplating switching from selling insurance for traditional cars to selling analytics from data collected by smart cars. For another example, consider Google’s 2014 purchase of Nest for $3.2 billion. Analysts such as ITworld’s Matthew Mombrea observed that Google must have had something else in mind: “to recover its purchase price, Google would have to sell a lot” of the $250 smart thermostats [15]. Mombrea hypothesized the secondary market of selling efficiency services to the power grid. Others saw the purchase as an effort by Google to use the IoT to gather yet more data about users in order to enhance its targeted advertising business [10]:

But years ago it moved its ambitions into being a universal data collector not only to power its advertising business through intimate customer knowledge, but also to serve as a common fabric for all services to use. After all, the more services you use, the more Google can discern about you.

However, more recently, pundits have been puzzling about how and why Nest/Google’s sparkly future has fizzled.

For yet another example of the business of using the IoT to harvest individual data, consider Fitbit fitness wearables. At first glance, one would think the consumers for these devices and services would be the individuals who choose to buy and wear them. However, ITworld reports how Fitbit is also marketing to corporations [17]:

“We think virtually every company will incorporate fitness trackers into their corporate wellness programs,” Fitbit CFO Bill Zerella said Tuesday.

Businesses are using wellness programs to increase employee productivity, decrease the number of sick days workers take and potentially reduce health care costs, Zerella said during a session at the Pacific Crest Global Technology Leadership Forum.

Fitbit’s corporate thrust includes not just selling Fitbits to employees, but also selling special software services (available via special portals) to their employers. (Although as Chapter 6 observed, this sort of thing is considered a privacy violation in the Netherlands.)

Corporations are also using the data avalanche to monitor and tune employee performance more directly. In 2015, the New York Times surveyed various products in this space, including tools at GE to “give workers instant feedback from bosses and colleagues,” Amazon’s Anytime Feedback, and Sapience’s Buddy [23]:

Khiv Singh, a Sapience vice president, noted that data surrounded workers: “We have pedometers to measure how far we walk, apps to monitor our blood pressure, stress level, the calories we’re taking in, the calories we’re burning. But the office is where we spend the majority of time, and we don’t measure our work.”

One of Sapience’s customers “was surprised by what he found” when his company started using Buddy:

“Engineers would write on their time sheets that they were doing development for eight hours, but we started to see a very different set of activities that people are performing,” Mr. Bohra said. “Meetings. Personal time. Uncategorized time. Performing research on something that maybe already should be a part of our knowledge repository.”

To be fair, the Times also notes that BetterWorks tries to make employees happier rather than employers.

What does this mean for society? Personally, I find this observation from a Score Assured founder troubling rather than assuring:

“If you’re living a normal life…then, frankly, you have nothing to worry about.”

In History

History gives many scenarios where the answer to this question was “no.”

Greengard quotes internet pioneer Vint Cerf on the state of IT a century ago [9]:

We certainly didn’t want to wind up with a situation parallel to the 1910s and 1920s, when a business had a dozen different telephones sitting on a desk—all using a different proprietary system and requiring a person to know which telephone service to use to reach someone else.

From Vint’s point of view, society would be better off with interoperable IT—except the profit motive alone hasn’t given us that yet. Decades later, the VHS videotape format won out over Betamax, which some argue had been better technology. In the early days of the web, Netscape’s SSL won out over “Secure HTTP,” which some argued had been the better choice. (We could also go decades earlier and examine the Edison/Tesla feud between DC and AC electric power.)

The recent Oracle/Google litigation shows another example of the potential impact of profit motives and technology. From Oracle’s point of view, Google violated copyright law by using Java APIs that were the property of Oracle; from Google’s point of view (the one supported by the latest court decision), this was fair use. One could argue that Oracle initiating this legal action was a sensible business move: the APIs were its property, and Oracle deserved compensation for use of that property. However, many in the industry feared that an Oracle victory would fundamentally change IT, in a negative way. For example, Klint Finley in Wired wrote [6]:

Nothing less is [at] stake than the future of programming…. Regardless of how the jury rules, the case has already had a permanent effect on the way developers build software…. [S]ince the appeals court has already ruled that APIs are subject to copyright, that could open a whole new frontier of lawsuits aimed at startups and open source projects that have copied APIs in order to ensure their products are compatible with popular commercial products.

SCO’s earlier litigation against various commercial users of Linux might be a similar example, except widespread opinion in the technical community was that it had no merit, so it’s not as interesting. (However, in industry in the 1990s, I personally saw how such intellectual property squabbles contributed to a reluctance to use open source software—which in turn led to redundant work and new bugs.)

A Reddit user posted an account of a more short sighted case of profit versus technology: how a power plant employed workarounds to avoid paying software license fees, almost leading to a shutdown [13].

Another angle to consider here is the relative timing of new technology and new business ventures framing that technology. Why did Facebook succeed but Myspace disappear? Everyone knows about Google, but who remembers Lycos and AltaVista?

In the IoT

The preceding examples where local business self-interest potentially missteered the global state of IT all began in the IoC. It’s hard to cite an IoT-specific example so far, except perhaps for Philips blocking third-party lightbulbs from its smart lighting hubs (see Chapter 8). However, it’s also hard to believe that the same trends will not continue. The IoT offers the same multiplicities of choices and possibly proprietary APIs and services. IoT-time will move even faster than IoC-time—of which Milton Friedman warned [7]:

Is it really in the self-interest of Silicon Valley to set the government on Microsoft? Your industry, the computer industry, moves so much more rapidly than the legal process, that by the time this suit is over, who knows what the shape of the industry will be.

Furthermore, for massive deployment to happen, a large class of IoT things will need to be much smaller and cheaper than IoC things [22]:

The FTC also cautions that many devices are inexpensive or “disposable,” essentially calling into question whether the threat assessment and internal productivity outweighs any reward of consistently patching new attack vectors each time one is discovered.

Hacking and Business

September 2016 brought news [21] of a perhaps novel combination of IoT security, hacking, and business:

When hackers at cybersecurity startup MedSec Holdings discovered security vulnerabilities in St. Jude Medical pacemakers and defibrillators, they contacted Carson Block, who runs investment firm Muddy Waters Capital. MedSec and Block struck an unprecedented partnership: The hackers provided data showing the devices, used by tens of thousands of people, had life-threatening flaws; and Block bet against St. Jude Medical stock by selling it short, agreeing to pay MedSec fees based on how much St. Jude’s shares fell. If the shares didn’t fall, MedSec would be out the money for its research and other upfront costs.

Hackers found holes, and used the stock market both to punish those responsible for the holes and to finance their work.