It’s been a busy week for IoT and security. Between the DDos on Krebs’ website and the subsequent release of alleged source code, to Yahoo’s unprecedented, full access custom-built NSA search tool, to the arrest of a purported “Second Snowden” (spoiler alert: not so much), there’s been plenty of news on the wire. But Bruce Schneier’s thoughts IoT security may be the most impactful for IoT security policy in the near future.
For the uninitiated, Mr. Schneier is a world-renowned expert in computer security — he has authored numerous books on the subject in addition to contributing to several cryptographic algorithms. I was thrilled when he joined the board of directors at EFF, enjoy reading his blog, and consider his most recent publication one of the most important books on digital privacy. That said, Mr. Schneier’s solution for IoT security could not be more incorrect; to the point:
The IoT will remain insecure unless government steps in and fixes the problem.
This solution is not only the least desirable path, it could cripple innovation within the IoT industry. There is a lot wrong with this approach. Industry standardization, not government regulation, is the better solution:
- First, government actors are not subject matter experts in either IoT nor security, and will never be held accountable for any failures of government regulation. When market fails, the industry is directly incentivized to repair the damage -- otherwise, they lose our business.
- Government and market operate under a different set of incentives and measure success differently. We would expect the market to initiate some form of industry standardization — similar standardization generated the USB and Wifi protocols. Further, that the successes of this standardization would benefit both market and consumer; the same is not true of government regulation.
- While the attack on Krebs was described as “simple and amateurish” (rightly so), there’s a reason why an attack like this would succeed so well at this point in time -- IoT is in the middle of a maturity curve! No one expected a gigabit throughput on a dial-up modem
- Most important, this is not a market failure; this is a demonstrated need for stronger security, realized through the test bed of the current state of IoT. Attacks like this are exactly what the field needs to harden IoT systems.
I’ve written before on the dynamics of IoT security — it is more complex than other products, specifically because bad security doesn’t immediately affect the end user. Similar to carbon emissions in cars — legislation there hasn’t filled roadways with a fleet of Priuses and bikes.
I will grant that at the moment, the typical IoT customer probably doesn’t care about the security of their system. But consider two different scenarios:
- An IoT attack targets a popular site. The general person’s reaction would be a lot different if NetFlix was targeted instead of Krebs.
- Security is a two-way street. If IoT devices are marketed as more secure (and are indeed more secure), its possible the average consumer would be willing to pay for that perceived utility
The economics of IoT doesn’t necessarily mean that exploitable devices will continue because no one cares. Certainly IoT companies are paying attention to event; hopefully this event will precipitate industry standardization of IoT security. I have stated that standardization would be necessary for the IoT security, but the time wasn’t right. Now is the time to reconsider that.