Leonie Tanczer’s FIRST 2019 keynote (recording now available on YouTube) looked at more than a decade of European discussions of whether/how to regulate the Internet of Things (no, I didn’t realise, either) and how we might do better in future. This is particularly relevant to an incident response conference as – as Mirai and other incidents have revealed – CSIRTs are, and will continue to be, strongly impacted by whatever incentives regulators may (or may not) create.
There’s little question that the IoT involves many complex issues – in particular lack of knowledge, lack of incentives, and lack of monitoring of the results of the previous two – however it seems odd that consumers can (if they choose) rely on regulators to deliver a safe bottle of milk, but are left to themselves to assess the safety of the internet-connected fridge they store it in. In a global supply chain liability – either of vendors or distributors – may not be an effective way to internalise the external costs of insecure devices. And such discussions as have taken place in the past have tended to concentrate on only the first half of the IoT lifecycle – design, purchase and setup – and omitted the much longer, and more hazardous, questions of maintenance and disposal.
However in recent years there have been more promising signs. ENISA’s Baseline Security Recommendations for IoT come highly recommended. Also, whereas older studies suggested that consumers seem not to have understood that it might be worth paying extra for a more secure device or service, in recent years there has been both much stronger interest in security labels, and a (probably demographic) shift to devices being bought in physical shops than online. This suggests that even a simple labelling scheme such as that recently consulted on by the UK Government (no default passwords, a reporting channel for vulnerabilities and a date until which patches are guaranteed) may have some beneficial effect. If the fridge, like the bottle of milk, has a “best before” date then that might provide a helpful signal in purchasing choices.
Finally, although discussions on IoT Governance may not seem to be moving forward, they are definitely moving upward, with the WTO, OECD and World Economic Forum all expressing an interest. Security and Incident Response teams – not just those directly associated with product security – should take any opportunities to provide input and experiences.
