Not my problem.
That’s the 3-word definition of an externality: something that you don’t need to deal with, because the adverse consequences are not affecting you directly. This has been an issue for cybersecurity forever (Schneier, 2007), and it is widely known that the issue is particularly pressing with IoT (Schneier again, 2016).
I have been writing material on IoT device security as my day job for a few months now. But I also speak at conferences, where the public is more general: if there are device vendors in the room, I am not sure of what they think about this, so I mention the issue.
After doing so a few times, I got convinced that this “Externality of IoT Security” is rapidly becoming THE issue around IoT, and possibly the entire internet. We are deploying devices today that do not include any kind of security, because nobody cares.
We don’t care for a variety of reasons.
Some of us are clueless:
- Some vendors. Some vendors, initially many of them, have no idea that security could be a problem. Typically, this occurs with vendors of gadgets and other devices that don’t seem to be related to security in any way. Today, such cluelessness should become uncommon, as IoT-based attacks make headlines.
- Most users. That’s one of the scariest aspects of this. If a hacker ensures that pwned devices keep working normally most of the time, the end users will most likely not even notice a problem. Most IoT devices are unattended; if they work normally, there is no reason to worry.
Some of us are helpless:
- Merchants. Most devices are sold by some local/online store. Don’t expect these guys to provide much help, though. I tried to ask a few questions, and the best answer I got was a pointer to the vendor’s product support page (which said nothing about security, of course).
- Some users. Some users may worry about security, but their actions are quite limited, unless they have some understanding of security and computing.
Some of us optimize profits:
- Builders. The device builder is often some unknown company in China or elsewhere, which builds a device and sells it to vendors that will integrate it in their offer. At best, these guys follow the spec provided to them: they are low-cost companies, they cannot afford to work otherwise.
- Some vendors. The device vendor is the company with the brand name. They may care about security because of potential liability and bad publicity, but in most cases, this remains a bad economic calculation. Adding security will cost them more than not, so they don’t.
- Users. When making buying decisions, many users (including businesses and governments) will not include security as one of the important criteria, often favoring price. That of course pushes builders and vendors to ignore security.
Of course, not everybody thinks like that. Some companies include security in their priorities, or at least understand that security should be one of their priorities. This is a step forward, but they can still be a long way from secure products, because of two very common attitudes.
Some of us are in denial:
- Vendors. Denial is often visible when an attack occurs. This may of course be part of a communication strategy, but there are two strong indicators of denial. If the communication uses “highly sophisticated” to describe the attack, or “highly unlikely” to describe its exploits, then denial is likely. It is dangerous, because the vendor may then decide to minimize the impact of its actions, whereas in reality, most attacks we se today are rather simple, and most exploits are not implemented because “bad” business models remain unclear. For instance, insulin pump vendors have been in denial. Wirelessly controlled pumps can be hacked and could be used to kill people; this is not used today, most likely because this is not a tool that they are used to (although it has many advantages), but that can change any day.
- Users. Denial is obvious for many users, who know that there is a risk and will nevertheless not take any action. An example from outside of IoT is our behavior towards passwords, which are often much weaker than what our knowledge of security issues would mandate.
Some of us lack expertise (or don’t apply it appropriately):
- Vendors. Some systems include security measures, together with poor design or implementation. The Jeep attacks became legendary, some attacks on Philips Hue bulbs have been quite sophisticated but generated more buzz. In both cases, security measures were present (firmware update, authentication, usage restrictions and more), but their implementation was not sufficiently secure.This could be a lack of expertise, a lack of judgment, or a combination. In the end, the result is the same: they got hacked.
Denial and lack of expertise are different, of course. In these cases, security is not strictly considered as an externality. However, these attitudes also show an underestimation of their liability level, meaning that IoT security is not sufficiently considered as being their responsibility, and too much considered as an externality.
Today, poor evaluations of responsibility levels are the main blocking point for IoT security.
As long as most people and companies consider IoT security as somebody else’s problem or underestimate their required contribution, we will not see any significant progress. This is why externality is THE issue to be addressed today.
And this is no small issue. It is very easy and tempting to establish a parallel between IoT security and climate change. Climate change is an externality, and many powerful people are trying to address it. Yet, even with international treaties, it largely remains an externality for most actors.
IoT is not on the same scale in terms of life-threatening impact, but it is facing the same issue with similar actors. Global solutions are not going to come easy.