Who should bear the cost of IoT security: consumers or vendors?

Anyone using the internet in Europe and the US on 21st October last year experienced what economists call an externality.

It arrived in the form of a massive 1.2 Tbps DDoS attack on Dyn, a US-based internet infrastructure company. This, in turn, triggered outages at multiple sites – including PayPal, Twitter, Amazon and Netflix.

The attack was coordinated by a piece of malware called Mirai, which coordinated millions of compromised IP-connected devices including DVRs and cameras. According to the security firm Flashpoint, the likely authors of the attack were talented amateurs: script kiddies.

Security breaches always impose a cost on innocent parties. Most consumers would describe this as a variant on Murphy’s Law. PayPal, Twitter, Amazon and Netflix probably view it as economic sabotage. Economists, by contrast, use the e-word to describe this kind of thing. Externalities are the hidden costs of doing business that tell us markets are working imperfectly.

Whatever you want to call it, the risks involved in IoT security are immense. If Netflix goes dark while you watching a box set, that’s one thing. If pacemakers crash and automobiles veer off course, that’s something very different. At the point where the digital world blurs into the physical, risks to human life become evident. For obvious reasons, the Dyn attack sparked a high-level debate about the state of IoT security.

So here’s a question: in IoT, who is responsible for closing down the space in which externalities like DDoS attacks can occur?

Clearly, the script kiddies have a lot to answer for (though it remains unlikely that they will pay a penalty). This leaves us with two targets:

• Device vendors who understand the risks, but don’t mitigate them
• Consumers who don’t understand the risks and don’t care about them

It’s easy enough for us, inside the industry, to criticise consumers.

But take a look at the scale of the attack surface generated by ignorance. It’s enormous. In a recent survey, which you can read about in more detail in this white paper, we asked consumers for their views on the security of connected devices. Here’s what they told us:

• 57% said the job of securing devices is clearly the responsibility of vendors
• 48% said they didn’t know that connected devices in the home could be used to conduct a cyberattack
• 40% said they had never consciously performed updates on their devices
• 37% admitted they were not “sufficiently aware” of the risks

It’s clear that we will have our work cut out to educate a sufficiently large number of individuals – at the minimum — about the need to rewrite default credentials and install firmware updates.

So let’s turn to the device vendors who understand IoT security risks, but don’t mitigate them.

Clearly, these vendors have the power to close down the space for externalities like IoT-mediated DDoS attacks. (For an overview of what’s wrong with cheap consumer IoT devices, take a look at this post by Ray Krebs, who himself was the victim of a similar IoT-mediated DDoS attack last September.)

Now it’s perfectly understandable to read an analysis like this and leap straight to the recommendation that regulation is the answer.

Among those urging us down this route is Bruce Schneier, the veteran security analyst and thinker. In a long essay last month, Schneier wrote: “Regulations are necessary, important, and complex; and they’re coming. We can’t afford to ignore these issues until it’s too late.”

Schneier may well be correct. Regulation is the classic response to externalities and market failure. But once again, this will be an enormous undertaking. Governments don’t move fast. And they are already well behind the pace of IoT deployment.

So where does this leave us? Well, in addition to clueless consumers and slow-moving government, there’s a third option for mitigation: the possibility of better and smarter architectures – at network and device level.

Innovation may not be the only solution, but it will play a major role in securing the IoT. With that in mind, we suggest you take a look at Ubuntu Core – a tiny version of Ubuntu designed specifically for IoT.

While we wait for consumers to get educated, and for governments to do their thing, let’s build a better IoT, using a purpose-built OS that takes security seriously: Ubuntu Core.

Learn more about current approaches to IoT security and why they aren’t working in Taking charge of the IoT’s security vulnerabilities

Download the white paper