The Key to IoT Security Incentives

0
bruce-schneier-2

Bruce Schneier, Harvard’s Kennedy School of Government

There is no question the internet of things is already changing the world. Hailed by some as “the most significant era of innovation and growth since the launch of the internet,” the IoT sector is expected to grow anywhere between $ 3.9 and 11.1 trillion by 2025. The proliferation of internet-connected devices already offers countless benefits to consumers, businesses and societies writ large, from anytime, anywhere access and control of physical security systems to increased efficiencies from automated resource allocation.

But everything comes at a price, and it’s time to pay up.

“In our race to adopt technology for their immediate and obvious benefits, we seldom do the cost-benefit equation to know what the deferred costs and security risks are that these technologies incur,” said Josh Corman, director of the Atlantic Council’s Scowcroft Center on Cyber Statecraft.

As Bruce Schneier, a security expert and adjunct lecturer at Harvard’s Kennedy School of Government, testified before the House Energy and Commerce Committee on Nov. 16, “Security flaws in [IoT] could mean people dying and property being destroyed.” And, he added, they are “deep and pervasive.”

In the United States alone, there are approximately 25 internet-connected devices for every 100 inhabitants, and, according to research from HP, 80 percent of the most common IoT devices are unsecure.

So how did we get here?

Simple, Schneier says: the threats posed by an unsecure IoT are externalities. The risk of an internet-connected DVD player is not that it might harm its owner; the risk is that it can be weaponized to take down a hospital, critical infrastructure, or emergency response services.

“The market has prioritized features and cost over security,” Schneier said, and the lack of incentives for device security is something he believes the market can’t solve. “I can’t put a sticker on [a device]and say, ‘This device costs $20 more and is 30 percent less likely to annoy people you don’t know.’ I don’t think I’m going to get a lot of sales.”

Another hearing witness, Dr. Kevin Fu, an associate professor at the University of Michigan, has seen this tension played out numerous times in his work with industry.

“Even though they mean well, even the people who can [secure these devices]don’t have the authority to do the right thing because they don’t have economic drivers,” he said. Simply, “Right now, there isn’t any kind of tangible cost to a manufacturer who deploys something with poor security, and there’s no benefit if it has good security.”

So what’s next?

“It comes down to accountability, whether that’s economic accountability or liability,” Fu said, and it’s going to take more than government guidelines and best-practices frameworks. As Rep. Anna Eshoo, D-Calif., who requested the hearing in the first place noted, those regulations exist, but there’s little adoption.

“It surprises me,” she said, “that manufacturers are not already taking these steps.”

“You’re saying there are no real incentives; is that what we need to focus on?” she continued, asking the witnesses.

Exactly, Schneier said. “If we get the incentives right, technologists will figure it out,” he said. “Some of it’s rocket science; most of it isn’t. These are solvable problems.”

Comments are closed.