[Last August in CLSR, I examined market failure in the security of desktop / 
laptop / handheld devices:  http://www.rogerclarke.com/EC/SSACS.html:
>Security isn't easier for small organisations and consumers because the 
>drivers for individual responsibility are too weak to overcome the 
>impediments, and this problem is matched by market failure, and compounded by 
>regulatory failure.

[In the article below, Schneier points out that the situation is even worse in 
the case of eObjects / IoT devices.  It's unusual to see an American calling 
for government action;  but that's what's necessary.  As is often the case, the 
most critical jurisdiction for action to be taken is the US, although Europe 
also has some importance.

[Parliaments are so dysfunctional that it's very difficult to get action 
through those channels.  But the Australian Privacy Commissioner has been urged 
for years (at least by me, but I expect by some other people and organisations) 
to use his powers to force baseline security on organisations in relation to 
personal data.  His refusal to do so is a blatant example of regulatory 

Security Economics of the Internet of Things
Bruce Schneier
15 October 2016

What was new about the Krebs [DDoS] attack was both the massive scale and the 
particular devices the attackers recruited. Instead of using traditional 
computers for their botnet, they used CCTV cameras, digital video recorders, 
home routers, and other embedded computers attached to the Internet as part of 
the Internet of Things.

Much has been written about how the IoT is wildly insecure. In fact, the 
software used to attack Krebs was simple and amateurish. What this attack 
demonstrates is that the economics of the IoT mean that it will remain insecure 
unless government steps in to fix the problem. This is a market failure that 
can't get fixed on its own.
... most of these devices don't have any way to be patched. Even though the 
source code to the botnet that attacked Krebs has been made public, we can't 
update the affected devices.
The market can't fix this because neither the buyer nor the seller cares. Think 
of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The 
owners of those devices don't care. Their devices were cheap to buy, they still 
work, and they don't even know Brian. The sellers of those devices don't care: 
they're now selling newer and better models, and the original buyers only cared 
about price and features. There is no market solution because the insecurity is 
what economists call an externality: it's an effect of the purchasing decision 
that affects other people. Think of it kind of like invisible pollution.

What this all means is that the IoT will remain insecure unless government 
steps in and fixes the problem. When we have market failures, government is the 
only solution. The government could impose security regulations on IoT 
manufacturers, forcing them to make their devices secure even though their 
customers don't care. They could impose liabilities on manufacturers, allowing 
people like Brian Krebs to sue them. Any of these would raise the cost of 
insecurity and give companies incentives to spend money making their devices 

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:roger.cla...@xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University
Link mailing list

Reply via email to