[Last August in CLSR, I examined market failure in the security of desktop / laptop / handheld devices: http://www.rogerclarke.com/EC/SSACS.html: >Security isn't easier for small organisations and consumers because the >drivers for individual responsibility are too weak to overcome the >impediments, and this problem is matched by market failure, and compounded by >regulatory failure.
[In the article below, Schneier points out that the situation is even worse in the case of eObjects / IoT devices. It's unusual to see an American calling for government action; but that's what's necessary. As is often the case, the most critical jurisdiction for action to be taken is the US, although Europe also has some importance. [Parliaments are so dysfunctional that it's very difficult to get action through those channels. But the Australian Privacy Commissioner has been urged for years (at least by me, but I expect by some other people and organisations) to use his powers to force baseline security on organisations in relation to personal data. His refusal to do so is a blatant example of regulatory failure.] Security Economics of the Internet of Things Bruce Schneier Cryptogram 15 October 2016 https://www.schneier.com/crypto-gram/archives/2016/1015.html#1 ... What was new about the Krebs [DDoS] attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the Internet as part of the Internet of Things. Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own. ... ... most of these devices don't have any way to be patched. Even though the source code to the botnet that attacked Krebs has been made public, we can't update the affected devices. ... The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution. What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure. ... -- Roger Clarke http://www.rogerclarke.com/ Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 6916 http://about.me/roger.clarke mailto:roger.cla...@xamax.com.au http://www.xamax.com.au/ Visiting Professor in the Faculty of Law University of N.S.W. Visiting Professor in Computer Science Australian National University _______________________________________________ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
