Regulating the Internet of Things ⇥ blog.erratasec.com

After last week’s massive web outage was understood to have been the result of a botnet originating from insecure web-connected devices — DVRs and cameras, mostly — a number of people, including me, pointed to Bruce Schneier’s Vice article on why it’s important to regulate the security of these devices. In short:

The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

Robert Graham of Errata Security disagrees with Schneier:

The persistent rumor is that an IoT botnet is being used. So everything is calling for regulations to secure IoT devices. This is extraordinarily bad. First of all, most of the devices are made in China and shipped to countries not in the United States, so there’s little effect our regulations can have. Except they would essentially kill the Kickstarter community coming up with innovative IoT devices. Only very large corporations can afford the regulatory burden involved.

Like public school textbooks in Texas, regulating large markets can have the effect of regulating every market. There are lots of significant markets for these devices, but the United States and Europe are certainly two of the biggest. If those two regions — and, ideally, China and Korea — were to impose security screenings for these devices, manufacturers would likely comply worldwide, since it costs less for them to deploy the same software in every sales region.

Of course, this raises the question of how it would be most efficient to secure devices like these. A penetration test before an import certificate is granted would probably do a good job of weeding out the less-secure products, but it’s unrealistic for such a test to be imposed with every software update.

It’s a tricky problem. The solution that Graham tweeted is to have the NSA brick vulnerable devices, but that seems like a hard overreach of power. The influence of imposing regulations is softer, but I think it reduces the “Team America” feeling of the NSA acting as the global internet police.