Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Securing the Internet of Things
Last Friday’s attack was apparently caused by the Mirai botnet, which targeted unprotected IoT devices, including Internet-ready cameras. In its wake, the inevitable has happened. There have been calls for more government regulation:
A U.S. Senator has joined security officials calling for stiffer cybersecurity for Internet of Things (IoT) devices following a major attack last Friday.
In a letter to three federal agencies, Sen. Mark Warner (D-Va.) on Tuesday called for “improved tools to better protect American consumers, manufacturers, retailers, internet sites and service providers.”
People (including Ricochet members) have been warning about the risks of the IoT for ages, but this hasn’t stopped manufacturers from flooding the market with cheap, unsecured devices — nor has it stopped consumers from purchasing them. The consensus of most of the experts I’ve read is that this is indeed a classic tragedy of the commons problem, as Senator Warner suggests, and that the only solution is for the government to step in to solve the problem.
It’s certainly true that no industry could have been warned more often that it had a problem. I read the warnings, and I sure wasn’t keen to buy any of those devices. Frankly, everything I read about the IoT creeps me out and reminds me of this:
But I seem to be an outlier in my instinctive aversion. And it seems to be true that neither manufacturers nor consumers paid those warnings much mind, either out of greed, laziness, or incomprehension. It’s also true that the cost of their error was borne by everyone, not just the specific manufacturers and consumers.
Bruce Schneier, who’s always interesting to read, thinks there’s no conceivable market solution to the problem:
The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.
What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
So is this genuinely a situation where government must step in? And if so, is it reasonable to expect the government to be any good at regulating this industry?
Also, a question for the lawyers: Why do we need the government to “impose liabilities” on the manufacturers? That’s to say, what’s preventing Brian Krebs from suing them right now? What prevents the people who were inconvenienced by last Friday’s attack from joining a class action suit against the companies in question?
Published in General, Science & Technology
Great. The same government that’s decades behind in IT is going to regulate the cutting edge. The same government that has managed to allow the identities of millions of employees to be stolen. This should work great.
An outlier perhaps, but not alone.
Along those lines, I can suggest at least one market solution: don’t buy these products. But that’s too simple and doesn’t allow the government to proclaim itself the hero by passing regulations which I would expect to be unlikely to work.
Here’s one way of thinking about it: do I have an obligation to Brian Krebs (or whoever) to ensure that my property cannot be used to inconvenience/harm him? After all, I have not authorised or encouraged the controllers of the Mirai botnet to use my cheap device. If I have a car with bad security and it is used in a ram-raid, do I owe the target of the thieves who stole my car anything? Is it right that I should have to have increased security because my car might be used to rob jewelry stores?
If, after a certain number of successful robberies, one of the victims notices that your car is still sitting there unsecured every night, the most obvious response would be to counter-hijack your car and drive it into the nearest river. That’s okay by you, since you don’t care what others do to it. Right?
Or, in the case of a camera, upload a “bricking” firmware update to make sure that sort of thing never happens again.
If I were a white-hat hacking group, I’d be looking into doing that already.
It would be enough for government to stop forbidding counter-attacks like this, as responding to a cyber-threat should be under the same umbrella as self defense and defense of property.
It would spur the market to create un-brickable products, which effectively means un-hackable. Even if only asymptotically. /-:
I’m on the “paranoid” side of computer security, anyway.
My cable company’s router/modem has its own firewall. I don’t mess with it or rely on it. It feeds into my local wired/wireless router, which has the basic firewall stuff going for it, PLUS it locks out devices by hardware ID and the highest-level security it can manage, with long passwords.
Then, each computer has its own firewall and password. Tip: Windows 10 can handle passwords of up to 16 characters, which are much, much stronger than “eight random characters including numbers and stuff.” A fourteen to sixteen character password based off of a phrase you know by heart is easier to type, and is nearly impossible for a computer to guess.
Side note:
When I’m feeling silly, I pull out one of my older wireless routers, plug it into the wall, turn off its security features, and let it sit.
Note that I didn’t mention plugging it into the actual network.
If someone hacks that particular device, they’re going to be really puzzled about why they can’t get out on the net with it. Every once in a while, I wipe it and update the firmware, but it’s NEVER going to be used for anything on my networks…
The notion that the government could regulate this industry is beyond insanity. It is too vast, changes too rapidly, is global, a piece of every other industry and service. The only role the government could play would be to help some players become more monopolistic by reducing innovative new players. It is not that they are crooked and would be captured, which of course is true. It is that it cannot be done. Which sector in our economy has been successfully regulated? Which regulating body has not been captured by the biggest players in the regulated industry? Why is this not avoidable? The premise that a problem of the commons always requires government regulation is wrong.
I’m in no hurry to put my thermostat on the web! It’s right to be a little paranoid about the IoT.
But what’s the government going to do, create a regulation that says devices can’t be hackable?? Good luck with that.
This paragraph gives me a case of the willies.
First, government is not the only solution to a market failure. In fact it’s almost never a solution. The best government can do is react to years-old information since that’s how long it’d take to get through committees, Congress and court challenges. That’s way too long to accurately reflect the nature of cybersecurity.
Second, any lock that’s created can, and will, be broken so it’s a never ending ratchet and eventually I’m having to scan my retina to open my fridge.
Third, any liability for third party use would encourage false flag attacks. If I’m an unscrupulous GE executive and Samsung is eating into my IoT share, I hire a hacker to ruin some schlub’s life using Samsung equipment to cause the lawsuit. So you create the problem you’re trying to solve.
Fourth, when you increase the cost of manufacturing goods, which you will, you increase cost to the consumer, eventually putting goods outside of the reach of ordinary consumers. And you’d have to continually spend to improve the security, which requires updates, which requires informed consumers, which, as any IT professional will tell you, you don’t have.
Government should leave it alone, the market will eventually solve the problem on its own. Hopefully by removing all the internet of things nonsense from consumer electronics. My fridge doesn’t need wifi.
Let’s give it to the BATF – right after they go Inspector Clouseau meets Jason Bourne at the North Carolina fireworks and weenie roast recently held at RepubliNazi headquarters in North Carolina.
Treadstone. It’s not just for flat tires anymore.
Just because something is happening that you dislike doesn’t mean there is a “market failure”. Just because you think things would be better if everyone else did something other than what they are doing does not mean there is a “tragedy of the commons”.
This deserves to be repeated over and over.
Ronald Reagan warned us that the nine most terrifying words in the English language are “we’re from the government and we’re here to help.”
I’m in awe of the folks in earlier comments who understand the implications of these conditions. Everyone seems to agree, including me, that the government should not get anywhere near this problem. I see no solution (but I’m barely technically capable). There are some things that we just need to do the best we can to avoid putting ourselves in vulnerable situations.
Type Canada’s Phoenix Pay System into Google and behold the beauty of a fully operational PayStar as it wipes out pay and benefits for the entire Federal Civil Service before moving on to our military.
Single payer government healthcare combined with government payroll.
Tanks!
Government assistance is like Herpes – it’s self replicating and never really goes away. Don’t scratch the itch.
Well, one part of this merits more discussion – the notion that government should not only regulate things that cause harm, but in addition, should also be empowered to prevent everything that could go wrong. In other words, that government should not only regulate actual harms, but also possibilities.
If a person uses something (a USB stick, or a hammer, or for that matter, a banana) to help commit a crime, does that automatically empower the government to regulate USB sticks, hammers, and bananas? Is the problem the crime, or the means used to carry out the crime?
Should government be empowered to make life childproof, so that nothing could possibly go wrong?
And do you trust the Joe Bidens, Barack Obamas, and Jonathan Grubers of the world to design it?
I avoid the IoT as much as I reasonably can. I have nothing I care to say to my refrigerator, and it has nothing to say to me that I care to hear. I would kind of like a digital camera, but as I’m already CSO of my parents’, my brother’s, and my Internet presence, I don’t need another server to babysit.
I’m in agreement with everything anonymous and Austin Murrey said, though JW’s length of time away from the not-so-Auld Sod shows when he breaks out the “master-slave” paradigm. I did that some time ago at what was supposed to be a technical meeting. For a while I thought we were going have to have one of the (uninvited) management types sedated.
I agree that Schneier is usually a good read, but the idea that a government whose Obamacare website cost a half billion dollars and still didn’t work is going to fix anything is risible.
As a guy for whom “cybersecurity” is an every day job, I can tell you that it is really two problems:
Yes, it is true that the average “user” doesn’t care. But that is largely because the average “user” doesn’t know.
How is the average person supposed to determine if an Internet-connected device (I refuse to use that acronym that starts with an I and ends with a T and is round in the middle; it is an abomination) is secure? Most of the IT folks I work with don’t know. You can read the label on a can of soup and know if it has something bad in it. How can there be such a label on a security camera?
The manufacturers shoulder a lot of blame here. They should have a processes within their development lifecycle that ensure good security practices. I am sure that some of the big companies do. But I know that a lot of them do not. I work for an electronics manufacturing company and I’ve sat in many meetings with engineers, and it is clear to me that many of them are struggling to grapple with a simple concept: “How can this design be compromised?” They are primarily concerned with making the thing work the way it is supposed to. Spending precious development cycles trying to think like a hacker is difficult, time consuming, and costly.
The solution has many facets.
The government does have a role to play. Many of this hacking comes from “state actors” and other entities that traditionally fall to the government to deal with. And they are working on it. I recently spoke with an FBI agent who’s specialty is cyber. That conversation was enough to tell me that the FBI understands the problem, even if they haven’t fully learned how to deal with it.
Another facet is education. We are seeing more and more college level programs aimed specifically at training students how to deal with cyber. The local community college here has create a program called Cyberwatch West, which is designed to help other community colleges develop cyber programs. These trained students will go in to industry and help make things better.
(to be continued)
As I get older I am more likely to think that there is a roll for government in managing externalities, information asymmetry dilemmas, and systemic risks.
I am inclined to believe that this is an issue of negligence which should be handled civilly. I am not sure how the government could craft an appropriate regulation. I am especially skeptical because of the hysterics around QoS on the internet, and half the country wanting to make good network engineering illegal.
I think the first problem is: our government is illegitimate
The second problem is: its bureaucrats are stupid.
The third problem: Dunning-Kreuger effect among people who flatter themselves tech savvy.
The fourth problem: we lack a credible information system
As we gave control over the internet to the UN, I’m sure they will handle it.
Who created the Internet? Isn’t that the answer right there?
The quoted author makes a reasonable case to show why the problem is not easily solvable by market forces, but presupposes (domestic) government efficacy without any analysis. All we will get with government regulation is the equivalent of reinforced cockpit doors. Most likely, the regulations will stifle innovation and/or leave gaps for future attacks.
Maybe not market forces in the purest form, but bad press, lawsuits, and industry standards will eventually generate some best practices that allow flexibility with new innovations.
That’s just another Democrat taking advantage of a crisis for his personal political gain, which includes his increasing government (and so his) power. It’s another reason to (re)elect a conservative and Republican Congress.
As to liability, we already have laws that sanction users of various items who use them criminally or “merely” negligently. It isn’t hard, conceptually, to extend that to users of items connected to the Internet; that’s only a political problem that marks the divide between Progressives’ Government is the answer and Conservatives’ individual responsibility positions.
And the divide between those who want power and those who should have it.
Eric Hines
The rightful owner of a stolen gun is not responsible for crimes committed by others using that gun- generally. But if she leaves her loaded shotgun on the front porch? Come on contingency lawyers! We need you to save us from the government.
Markets always have significant failures, that is what they do, why they constantly adjust, fix, get replaced, emerge into something different everywhere always because markets are an information system that learns from failures even more than successes. Government in contrast is blind and inept. Blind because it is not part of the information system. The important information emerges out of its sight and reach and arrives out of date and as averages missing the important information. Inept because it is not accountable, always a monopoly, remote, indifferent, spends other peoples money and has no mechanism for self correction, indeed every failure creates new interests so reform has to be built on top of the fossilized remains for past failures.
You’re right – make Gore fix it!
Unfenced swimming pool? potential liability
Unsecured server certain to be probed containing national security information? But that’s different!
Fenced swimming pool with bear traps protecting it? liability.
Claire,
First, excellent post, you have even included one my favorites the Hal 9000 “I’m sorry Dave, I’m afraid I can’t do that..” scene from 2001. Oddly enough, I think your post itself is a key to getting the real fix started. By exposing an intrinsic problem in a fair and balanced way, you have opened the door to those who could solve it.
Historically, the net & the pc are as good as they are because they did not employ government regulation. The solution was an industry-academia consortium that produced an industry technical standard. The industry technical standard was enforced by the marketplace. As the standard was not that difficult to implement many manufacturers immediately implemented it. Of course, they advertised their product as compliant. Most field consultants would immediately gravitate to these compliant products as they felt less legally exposed by doing so. Soon a stage two effect comes into play. Many adjacent products start to assume the standard and craft their interface to it. Soon the non-compliant products become more and more of a hassle to use because they don’t work with many other high quality products that are much in demand. Now, almost every serious product becomes compliant with the standard.
It all starts with the public’s clear understanding. The industry, in a very formal organizational way, addresses the problem and then the market takes over. You have accomplished step one.
Regards,
Jim
The “technically wise”understand the threats and what to do, the rest of us can only hope that the best and brightest in the private sectors can help. Agree government complicates, but bears some responsibility. You would think with all the trips that Google CEO made to the WH, they would have come up with something.
…..Have we given control to the UN or whomever yet? Have not even followed that much.
Just a different thought: We’ve ceded so much control over our lives to devices, and those that make them. My debit card was hacked a month ago. My bank shut it down – they got $3.78 which the bank refunded (they said it was a test amount). They said card was used in TX, PA and I’m in FL so it was sold – they had my pin. I’ve never been hacked – it was disturbing. I “think” I traced it to a cheap gas station. The bank showed me the pics of a gas pump with and without a skimmer on pump. Since, I have changed my habits. I changed gas stations, pay cash for things, think about where I use cards. We can’t live in fear, but we are becoming more dependent as consumers on what is being developed, much we don’t need.
Most electronics are made in China, a communist country, including gov. computers. Hackers compromised the NSA recently – what chance have we then? Protect yourself as best you can.
The externality effect is a legitimate rationale for government intervention into the market. Just sayin’.
Though I grant all the caveats, especially (at best) the fecklessness and (at worst) the maliciousness of today’s federal behemoth.
I, for one, would like to see some level of government successfully prevent the illegal propagation of subwoof noise through my neighborhood. If they can prove themselves effective in the audio sphere, then I’d be more willing to give them a hearing on their approach to the IoT problem.