By Taylor Armerding
Jan. 9, 2017
Mark Baugher, principal security engineer at Greenwave Systems, is not convinced that government regulation will solve the problem. But he agrees about the reason for the market failure.
“The costs of cheap, poorly designed network products are typically borne by someone other than the users of those products,” he wrote in a recent essay furnished to CSO.
“Economists call this a ‘negative externality,’ meaning that the costs are external to the market. Market-bases solutions therefore don’t work.”
This is not a new problem – Schneier, Fu and others have been saying for years that the IoT is insecure because both the developers and buyers of devices care much more about features and price than they do about security.
But Schneier told the committee that the DDoS attack on Dyn shows that the stakes are now much higher than having a bank account compromised or an identity stolen.
“We are connecting cars, drones, medical devices, and home thermostats,” he said. “What was once benign is now dangerous.”
Of course, what form government involvement should take is less clear. Drew was less forceful than Schneier or Fu about the role of government, saying only that, “there may be a role for the government to provide appropriate guidance.”
But there is general agreement that government could and should require what is described as “basic security hygiene,” and while that would not make devices bulletproof, it would make it much more difficult to exploit them.
Matt Devost, managing director at Accenture Security, is one of several experts who told CSO that government can play a crucial role by forcing the market to address the most obvious, blatant insecurities of IoT devices.
“Establishing a minimum essential security requirement in new devices that forces the user to set up a robust password before the device can be used would be an improvement over default passwords,” he said, “along with an ability to automate the firmware update process in the event a critical vulnerability is discovered in the product.”
Fu, in his testimony before the congressional committee, recommended an independent, national cybersecurity testing facility modeled along the lines of the National Transportation Safety Board.
Schneier also recommended that government force “minimum security standards” on IoT manufacturers, including imposing liability on those that fail to comply, “allowing companies like Dyn to sue them if their devices are used in DDoS attacks.”
And Craig Spiezle, executive director of the Online Trust Alliance (OTA), said the government should require that, “products not ship with any known critical vulnerabilities, and have a commitment to provide security patches and updates through their life.”
Other regulatory initiatives could get more complicated, however.
Sen. Mark Warner (D-Va.), in an Oct. 25 letter to the Federal Communications Commission (FCC), Federal Trade Commission (FTC) and Department of Homeland Security (DHS), asked if Internet Service Providers (ISP) could help force improvements in security of IoT devices by denying insecure devices access to the internet, including refusing to assign them an IP address.