It’s your round: who pays for an insecure Internet of Things?

Mark Lambe

Following on from our recent look at IoT security and the technical fallout from compromised ‘things’, it’s clear the issue raises many questions. For example: what are the legal implications to having your internet of things’ devices hacked? Could the owner and producer of a connected IP camera be liable for damages caused by a botnet? We only have to look at the recent court case filed by the FTC against D-Link who they allege left “thousands of consumers at risk” to hacking attacks as an example of what could become common place for the IoT.

Someone will have to fix all of today’s IoT security shortcomings. So who’s it going to be: the ISP? The device maker? The owner? For the ISP, solving IoT security – or simply carrying the cost of all of this extra traffic – is a potentially huge cost to bear, for virtually no benefit. Which is another way of saying it probably won’t be them who will rush en masse to fix the problem.

Will it be device makers? A disappointing study from CompTIA showed that almost half of senior business executives say the benefits of IoT outweigh security concerns. (To be fair, the survey was conducted and released before the record-breaking DDoS attacks via compromised IoT devices and botnets like Mirai.)

Read more on this in our IoT Connectivity ebook

Bruce Schneier in a typically well argued piece on Vice Motherboard about how the current poor state of IoT security represents market failure. He proposes a simple remedy:But we shouldn’t expect a stampede of manufacturers recalling defective and insecure devices and issuing new ones. The margins on these miniscule sensors are so small that any security fix would eat into the profits. And consumers aren’t exactly beating down their doors asking for it, so there’s no solid commercial case for baking in security rather than bolting it on afterwards.

“…the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. ”

Bruce Schneier is not alone, as other commentators have called for regulation, but I think we should take a hard look at whether we want governments to get involved. We’ve seen many of them struggle with security issues in particular, but more generally I would also argue the internet has evolved because we’ve kept governments out for the most part. Changing that approach for IoT might cure the illness, but would probably kill the patient. (To give Schneier his due, he acknowledges that his solution would be a domestic fix to an international problem.)

Also, there are plenty of precedents for industry working together to get things done. Back when the internet was scaling, the internet routing table used to be a list that got updated and emailed to everyone. That worked fine while the internet was mostly academic institutions, but when it fell apart dramatically in 1989, BGP, or border gateway protocol, saved the internet.

BGP is sometimes derided in the industry as being a terrible solution (and the three guys who invented it agree – they expected it to hold for a couple of months until something better came along). They were working at competitors Cisco and IBM but they approached the problem more like academics than commercial rivals and came up with a hack that was written on three napkins. More than 25 years later, BGP is still in place because it’s good enough to do the job.

The point is, the tech industry is replete with industry forums where companies come together for a greater good – the IETF where BGP was invented, the Wi-Fi Forum, or the GSMA. One possible option, as proposed by Bob Bilbruck of B2 Group in IoT-now, is for the industry to create its own dedicated registry of IoT devices, supported by a standards body like oneM2M, which was set up in 2012 to develop standards for IoT security and interoperability.

I would argue that it’s in all of our interests to test that option first and see what positive incremental steps we can try in order to fix the problem.