Recent developments in the cybersecurity sphere read like a dystopian novel. The devices we use for convenience and entertainment in our homes are being taken over for malicious purposes by forces unknown.
A number of significant hacker attacks have occurred in the past several months, many powered by the “smart” routers, gaming devices and thermostats that consumers envision as means to enhance their homes.
Malware can pollute these Internet of Things (IoT) devices, transforming them into nasty botnets – hijacked private devices that send spam and mass amounts of traffic to other computers without the user’s knowledge. In November 2016, those botnet-spammed targets included internet performance management company Dyn and French internet service provider OVH. When these targets go down, thousands of websites and internet connections fall in tandem.
What’s scary is that while dangerous malware continues to evolve, there is little will to improve the security of the IoT devices that are enabling these breaches.
We’ve reached a turning point in cybersecurity. The only way the situation is going to improve is with government intervention, mostly because neither consumers nor device sellers nor manufacturers seem willing or able to take up the fight.
This lack of action in regards to IoT cybersecurity has created an environment where there is the recognition that increased security is important, but since it’s not a juicy issue that carries much electoral sway, the will to change just isn’t there. The incoming Trump administration will have to take a leadership role in pushing for new regulation, even if there’s not a lot of voter will demanding it.
The Obama administration made progress on cybersecurity, particularly with the creation of the Commission on Enhancing National Cybersecurity this past year. In December, the group released a report summarizing a nine-month study and proposed a number of recommendations. One is a new labeling system for devices that resembles the nutritional fact stickers on food. These labels would include a series of security ratings for devices, giving consumers the ability to compare device security and make better-informed purchasing decisions – ideally reducing the number of hacking vulnerabilities.
These new security ratings can be useful on devices, but only if – as the commission has suggested – these labels are created by an independent body that is externally reviewed. This costs money and takes political leadership, and it’s uncertain as to whether the Trump administration will adopt suggestions recommended by an Obama administration-commissioned study.
For his part, President Trump has been briefed by the commission on the importance of increased cybersecurity, as well as the recommendations of this new study. In his platform, President Trump promised an immediate review of all U.S. cyber defenses, though it’s unclear how much that review will affect IoT devices outside immediate federal agencies and departments. This too costs money, and we will have to wait and see where federal dollars will be spent when it comes to advocating for cybersecurity.
The Economics of Security
The nature of manufacturing technology creates another challenge. Regardless of the domestic solutions and efforts taken, we have no control over the regulation and scrutiny placed on technology that is made in Asia and sold in other parts of the world.
This is a challenge. While a device may never physically enter the U.S., it could still be used to take down websites domestically.
The best solution for cybersecurity involves a multifaceted, multi-party approach – creating an environment where effective security is incentivized for manufacturers and desired by consumers. In today’s context, incentivization translates to economic reward for good security. Basic economics tells us that if there is enough demand for something, suppliers will adapt to include that something in their products. Whether it takes encouraging consumers, suppliers, manufacturers, or all of the above, some reward must be developed to make secure devices more enticing.
These principles can be applied to security for internet-enabled devices. According to the United Nations Statistics Division, American consumers make up 29 percent of the world’s total consumer base. So while domestic demand may flag an issue to manufacturers, American interest alone will not provide the tipping point necessary to influence a manufacturer’s decision to beef up their devices’ security.
There is the potential for the United States to be the leader in convincing stakeholders in other major markets – namely Japan, Germany, France and the United Kingdom, which make up a further 22 percent of the international consumer market – to demand strong internet security regulations on devices. By creating markets where IoT devices can only be sold if they include sufficient security software, the demand for safer devices may be one that bears more bite. Not only that, but these software improvements would likely be included on all new devices, increasing cybersecurity globally.
Increasing the desirability for cybersecurity is no easy feat, and requires the involvement of several parties in both the United States and abroad. The security rating labels proposed by the Commission on Enhancing National Cybersecurity can play a role in putting security at the front of consumers’ minds. However, these labels will need to be reviewed and updated continuously. Just as the malware that invades our IoT devices, these efforts must be agile and ever-changing.
The mainstream media must increase its reporting on cyber attacks and, more importantly, the implications those hacks have on the lives of everyday Americans. The government too can work to make security more desirable through public awareness and education campaigns.
This is truly an area where the actions of a few countries can drive global change. While IoT devices can be useful and fun, we have to start treating the internet and its devices for what they really are: dangerous and vulnerable places that require careful control.