[LINK] CG: 'Security Economics of the Internet of Things'

Roger Clarke Roger.Clarke at xamax.com.au
Sun Oct 16 09:44:35 AEDT 2016 

[Last August in CLSR, I examined market failure in the security of desktop / laptop / handheld devices:  http://www.rogerclarke.com/EC/SSACS.html:
>Security isn't easier for small organisations and consumers because the drivers for individual responsibility are too weak to overcome the impediments, and this problem is matched by market failure, and compounded by regulatory failure.

[In the article below, Schneier points out that the situation is even worse in the case of eObjects / IoT devices.  It's unusual to see an American calling for government action;  but that's what's necessary.  As is often the case, the most critical jurisdiction for action to be taken is the US, although Europe also has some importance.

[Parliaments are so dysfunctional that it's very difficult to get action through those channels.  But the Australian Privacy Commissioner has been urged for years (at least by me, but I expect by some other people and organisations) to use his powers to force baseline security on organisations in relation to personal data.  His refusal to do so is a blatant example of regulatory failure.]


Security Economics of the Internet of Things
Bruce Schneier
Cryptogram
15 October 2016
https://www.schneier.com/crypto-gram/archives/2016/1015.html#1

...
What was new about the Krebs [DDoS] attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the Internet as part of the Internet of Things.

Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.
...
... most of these devices don't have any way to be patched. Even though the source code to the botnet that attacked Krebs has been made public, we can't update the affected devices.
...
The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
...

-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list