Many products today have computers within them. This now includes TVs, Fridges, Air Conditioners, Cars, DVD Players, Printers, Alarm Clocks, Cameras, lights, watches, phones and many more. Some of these are connected to other devices or the Internet and hence called IoT (Internet of Things). If any of these devices have a dangerous flaw, they recall the device. This was shown recently with the recalled Samsung Note7 due to batteries catching fire.
The question is how does this apply to Security in the devices. What would be severe enough that would require a recall due to a security issue ?
Using another recent example Chinese company XiongMai Technologies recalled Cameras and DVRs that were used in recent DDOS (Distributed Denial of Service) Attacks. Based on this example once the device has proven to be insecure and that insecurity is used to significantly impact people or organisations the device should either be fixed or recalled. This is a very reactive approach and one that doesn’t give people, organisations or insurance companies a great amount of faith with the security of devices. That said we have survived with this reactive approach for centuries, as it is rare for law or governments to rule on anything preemptively.
So the current method is in time, enough security incidents (bad things) will occur and that will shape the laws and government to create regulations on security.
An alternative would be to legally force a high level of security on all products with penalty of fines or sanctions if the product is found to be vulnerable. Bruce Schneier has taken this veiw that regulation is needed for devices connected to the internet. This sounds great in theory but if we look at the recent DRAM bit flipping vulnerability and the numerous exploits being created, the impact would be massive. This could destroy companies, increase costs of computers, reduce the availability of computers to the lower income families and slow down the rate of innovation within IT.
Furthermore IT (Information Technology) is still very immature and going through a high rate of change and instability. This is considering the internet as we know started in 1989 making it 27 years old. Should we let this young growing “person” learn by making mistakes, or restrict them with a ball and chain in fear of their abilities. Or should the parent (government) step in to stop them going off the rails. Maybe if we think technology as we know it, is to be completely destroyed by cyber attacker/s then it would make sense for the parent (government) to step in through enforcing device security (through regulation and compliance).
Let’s take a moment to think about the motivation of such an attack. For the cyber attackers trying to gain financial advantage (which is a majority) this is actually counter intuitive as destroying the internet will also destroy their ability to connect and gain financial advantage. Then for the cyber attackers without financial motives such as hacktivists (hackers with a cause) and nation states (countries), it is highly likely that they will use the internet services for their own benefit and cause, so it is in their interest to not destroy the internet. This leaves a very small number of people with motivation who would want to destroy the internet and connected computers, and an even smaller number of people with the cyber attacker capabilities. Therefore the likelihood of even an attempt to destroy the internet is extremely low not to mention that even if they were successful, people are naturally resilient and would recover services after a bit of time. This is with a focus of DDOS causing outages and not looking at manipulating or eavesdropping, as these are also concerns of impact. So does the risk justify the impact of a regulation?
Taking into consideration any such regulation would reduce IT innovation and thus create a negative ripple effect across the economy. Hence it would be path of least damage to not implement regulations at this point. In the future once we have more examples and IT has grown older and wiser, then it might be a time to consider creating security regulations across all devices or IoT. Maybe this regulation will require Internet connected devices to be security patched over the internet. But until that time, a risk based approach can help each organisation manage their risks and apply extra controls on high risk devices such as planes, cars or medical devices.