As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry?
Gerald Faulhaber
Professor Emeritus, Business Economics & Public Policy, Wharton School
https://www.cablelabs.com/informed/
AWS Community Day CPH - Three problems of Terraform
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] IoT Security
1. IoT and Cybersecurity:
What Can Be Done?
Gerald R. Faulhaber
Professor Emeritus, Wharton School
“IoT Security – Risks, Solutions and Ramifications”
New York, NY
April 12, 2017
4/12/2017 IoT: What Can Be Done? 1
2. • Threats to customers and others: Outdated
software, insecure communications (authentication,
encryption), malware threats, botnets.
• Fixes:
– Devices ship with current software
– Secure auto updates
– Strong authentication, restrictive communication
– Best security & cryptography practices
– Security support for device lifespan
Reference: “Internet of Things (IoT) Security and Privacy Recommendations”, BITAG 11/16
4/12/2017 IoT: What Can Be Done? 2
What’s the Problem?
3. Another Take on Fixes
– Incorporate Security at the Design Phase
– Advance Security Updates and Vulnerability Management
– Build on Proven Security Practices
– Prioritize Security Measures According to Potential Impact
– Promote Transparency across IoT
– Connect Carefully and Deliberately
Reference: Homeland Security “Strategic Principles for Securing the IoT” 11/16
4/12/2017 IoT: What Can Be Done? 3
4. Are Fixes Happening?
• NO
– no standards for devices and software
– no requirements to upgrade security
– only earliest efforts to establish standards
• Field day for hackers: turn off alarms, disrupt
HH, easy prey to set up botnets, etc.
– Most retail consumers not even aware their Smart
TV can be hacked, so see no need for protection
– Third parties may suffer the most, via botnet
attacks, etc. Externality
4/12/2017 IoT: What Can Be Done? 4
5. Making Fixes Happen: Institutions
• Institutions must yield:
– Establishing security standards for all
• Standards should change as technology evolves
– Enforcing standards throughout vertical chain
• Voluntary compliance
• Private enforcement/product liability
• Regulatory enforcement
– Inform/involve customers (commercial/retail)
4/12/2017 IoT: What Can Be Done? 5
6. Institutions: What Works, When
• Industry voluntary
– Potentially responsive to technology change
– More industry- rather than customer-focused
– “Good Housekeeping Seal of Approval”
– Works well when:
• Industry and vertical chain have small number of firms
• Standards enforcement easy
• Customers value good product information
– Problematic for IoT cybersecurity
4/12/2017 IoT: What Can Be Done? 6
7. What Works, When II
• Voluntary standard-setting, legal implementation
– Agreed standards enforced via product liability
– Less responsive to technical change (requires law change)
– Enforcement via customer liability suits
– Works well when
• Technical change relatively slow
• Few, easily identifiable firms
• Product important to customers; enforcement costly; no
externalties
– Problematic for IoT cybersecurity
4/12/2017 IoT: What Can Be Done? 7
8. What Works, When III
• Regulatory/Industry Joint Effort
– EPA/Industry Energy Star, SEC securities regulation
– Responsive to technical change
– Enforcement via regulatory monitoring/legal action
– Potential for publicly visible regulatory capture
• SEC record of ongoing enforcement failures
– Works well when
• Lots of firms, technical change fairly rapid
• Customers (such as retail) not involved in problems
– Could work well for IoT cybersecurity
4/12/2017 IoT: What Can Be Done? 8
9. What Works, When IV
• Regulatory
– EPA auto fuel standards
– Less responsive to technical change
• Standards set by bureaucrats
– Enforcement stringent, credible
– Works well when
• Lots of firms, technical change fairly slow
• Customers (retail) not involved in problems
– May work OK for IoT cybersecurity
4/12/2017 IoT: What Can Be Done? 9
10. So What To Do?
• It appears Regulatory/Industry joint effort is likely
the preferred option, but not perfect
– All options will be slow to implement
• Not clear who should be the regulator; FTC is
privacy regulator, but this job probably more than
they can handle
– Their regulatory record is good but not great
• Need to coordinate with government efforts for
cybersecurity (e.g., Homeland Security, NTIA)
– Use common principles, different implementation
4/12/2017 IoT: What Can Be Done? 10