We’re all watching the rapid advance of the internet of things — from self-driving cars and connected homes to drone grocery deliveries and smart hairbrushes — with excitement and trepidation. The thrill about the potential for vast improvements in life and work is tempered when our confidence in shaken as cracks appear in our vision of a connected world. Two big examples come to mind: the discovery that cars can be hacked and remotely taken control of, and the increase in distributed denial-of-service attacks powered by millions of internet-connected devices. We may wonder: are the rewards worth the risks? Yes, if we work to manage the risks better than we are now. This will take patience on the part of the public and serious coordination among industry players. And, more importantly, we have to resist the strong urge to dive into regulations that could interfere with innovation and progress.
Security issues surrounding IoT are often compared to the automobile industry which was forced by governments to continuously add safety measures to keep people safe as more and more cars raced down highways at increasingly higher speeds. Most notably, the introduction of seatbelts reduced the risk from death in an accident by as much as 50% and saved tens of thousands of lives each year in the U.S. alone. However, the number of devices and software and hardware platforms make for a much more complex and global IoT industry than the auto industry of the mid-20th century. Regulating IoT wouldn’t be as simple as it was for the auto industry.
The scope of the IoT market is huge and increasing exponentially in an unprecedented fashion and security for these devices is lagging way behind. The number of devices rose 30% last year to 6.4 billion and is forecast to reach 25 billion by 2020. Already there are more than 1 million active IoT bots. IoT devices are more vulnerable than legacy computing devices. The industry has spent at least 20 years getting Microsoft, Apple and the various Linux and browser developers to secure their software that made up the core of internet and desktop users. That was a relatively small market and it grew at manageable rate for security to keep pace.
The IoT industry is riddled with security issues, including speed-to-market, lack of security by design and lack standards. The growth in IoT is coming so fast that security is overlooked as companies rush products to market. Along with the fast pace of development and adoption, there is homogeneity among platform technologies that make it easier for malware to proliferate, as well as design constraints that enable ease of use for everyone, including attackers. Devices use low-power chips that have poor authentication and rely on software with inadequate access/user controls that enable arbitrary code (i.e., attack code) to run. Where security is baked into Windows and OSX, IoT platforms are wide open. In addition, there are no standards on products, many of which come from China where security and quality standards are dubious. In essence, the global market is being populated with billions of devices that are essentially sitting ducks, waiting for criminals to figure out how to exploit them.
This is becoming evident to governments and lawmakers and there are calls for regulating IoT and creating legislation to address the security problem with IoT. As a result of IoT-related DDoS attacks last year, including one that took major sites offline temporarily, the European Commission is considering new legislation this year that would force companies to meet tough security standards and undergo privacy certification processes.
That scares me. Regulators are rushing to propose rules, but that’s not the answer. Regulations for emerging areas are often ineffective and overreaching. Just look at the Computer Fraud and Abuse Act, which targeted malicious hacking but is so broad that it can be interpreted as criminalizing legitimate security research and even password sharing. In another example the Federal Aviation Administration dragged its feet on regulations for commercial drone use and held that industry back. Not only can aggressive regulation interfere with the progress of an industry, but it’s difficult to change bad laws after the fact. Unintended consequences of poor regulation that hijacks a nascent industry can be worse than the security risks the rules are designed to address.
Rather than hastily adopt regulation that could hinder the development of important markets like IoT, industry groups and major players should work together to address the issues and push security-enabling technologies and creating standards. We’ve seen this in other tech areas already. Broadband providers worked within the Messaging, Malware and Mobile Anti-Abuse Working Group community to reduce spam and botnet levels of home internet users. Open Wi-Fi vendors, Cisco, Apple and others have devices that are easy to use, manage and secure out of the box. For IoT, we need secure default passwords, randomly generated passwords and auto-update mechanisms, as well as limited services on the box — security features enabled by unikernels and Android OS. We also need new frameworks and guidelines, such as the efforts from the Online Trust Alliance for an IoT Trust Framework. The DDoS attacks using IoT devices have scared people, and rightly so. But we can’t overreact regulating IoT or we face interfering with a promising and fast-growing market.
Indeed, already the U.S. FTC has taken a market-based approach to IoT security. In the wake of the October DDoS attacks, Chinese manufacturers recalled a number of implicated IoT devices, possibly under threat of legal action. Earlier this year, the FTC also filed a complaint against D-Link for its sale of insecure embedded devices. And in January, the FTC issued the Home Inspector Challenge on securing IoT devices in the field, one of the biggest hurdles in the IoT landscape. These actions all point in the same direction — that the FTC is leading the U.S. government’s role in IoT security in the market (with NIST and others leading the way in technology), and shaping the market without regulations.
These actions are sure to continue, and vendors are sure to respond. What may emerge is a market-led technology foundation more secure than regulations could have accomplished, leading to a more lasting impact, marrying ease of use and reliability together with secure defaults, something consumers are sure to embrace.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.