[BreachExchange] Improved IoT Security Starts with Liability for Companies, Not Just Legislation

Fri Dec 29 16:52:19 EST 2017

http://www.securityweek.com/improved-iot-security-starts-
liability-companies-not-just-legislation

With the holiday season upon us, take a moment to think on the security of
the plethora of IoT devices that will be purchased, gifted and implemented
into the daily lives of countless people. Despite troubling reports like
the IoT teddy bear that leaked two million message recordings of kids and
was found to be easily hacked and turned into a spy device, a quick look at
one recap of 2018 Cyber Monday sales shows that connected and ‘smart’
gadgets are at the top of everyone’s shopping list. And yet it seems that
people are buying these devices for their homes and offices without
considering, or ultimately choosing to ignore, very real risks!

Whether the general population is aware of these hacks or not, there must
be ways to prevent such massive breaches of sensitive information for these
mainstream technologies. My question for discussion is this: if policies
like the EU’s General Data Protection Regulation (GDPR) are being developed
to maintain user security and privacy as companies continue to collect our
data, could legislation improve the state of IoT security for devices that
are also putting our privacy at risk?

I believe that in theory, legislation could help with IoT security.
However, laws regulating new technologies are often poorly crafted, and can
significantly hamper innovation with little benefit. It is critical that
any new laws be written with great deliberation and input from all
stakeholders.

One of the biggest problems with IoT devices is that most are never updated
or patched. It is almost guaranteed that no one has the time or desire to
manually patch their refrigerator or thermostat on a regular basis, and the
average person using these devices may not even have a basic understanding
of their security risks. Improving IoT security needs to start with the
companies that make these devices – they must be held accountable for
supporting secure, authenticated and automatic updates.

This issue is very complex, and any new laws need to avoid creating
unintended negative consequences. For example, new laws should state
requirements at an abstract level. If the language is too technologically
specific, the law will be outdated almost immediately due to the speed at
which companies are innovating and how quickly technology changes today.
Beyond this kind of legislation, we need some level of liability for the
damage that poorly designed IoT devices inflict. Without that,
manufacturers have no incentive to spend money to make them secure.
Unfortunately, there is almost no market pressure for security at the
moment – bad security and good security look the same to the untrained eye.

Consider two smart toasters on the store shelf. Both have cool features,
and both claim to be easy to use and secure. If one is $10 cheaper than the
other, which is likely to sell best? There is huge pressure on companies to
compete on price, and almost no ability to compete on security with typical
buyers. Additionally, many IoT devices are created by young companies in a
desperate race to get to be one of the first devices in a category and grab
market share. The odds of a startup surviving at all are slim. Anything
that distracts from the ability to deliver the product as fast as possible
with the coolest features will be ignored if possible. And it is possible
for them to ignore good security, so most do.

It is easy to vilify the IoT makers, but they are simply responding to the
constraints and market realities in front of them. Moral persuasion will
not meaningfully change their behavior. To get better IoT security, that
needs to actually be a priority for the business, and that means changing
the regulatory and liability landscape to make it so.

Laws to support swift and automatic updates for all devices, and
consequence to organizations that fail to ensure their IoT devices are
truly secure, would be a big step forward for IoT security. A major hurdle
for this kind of change will be educating the general population that most
of the devices they interact with are extremely insecure. Without public
outcry, there is little chance IoT device manufacturers will be held to
account for the security of their products.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171229/0568f444/attachment.html>