Tuesday, November 22, 2016

Paths to Better IoT Security

So far, the free market hasn't chosen to supply consumers with a rich variety of secure, safe IoT devices.  I can think of at least two interventions to help move things along: regulation and certification.  These two approaches are complementary.
Regulations could be established by various countries to require devices sold in that country to meet certain security requirements.  Given the low level of security provided by today's devices, that standard would not have to be particularly high to improve the overall security of the IoT installed base.  Importation helps simplify at least one aspect of enforcement.  The U. S. Customs Service, for example, already checks each shipment into the U. S. for banned items---this mechanism is widely used to enforce patents.  And the economics of semiconductors mean that standards adopted by one large market could raise the level of IoT security worldwide.  Chips need to be manufactured in huge volumes to pay off their high design and manufacturing investment.  While some manufacturers may choose to build less-secure variants,  the more secure chips would become default choices for a wider range of IoT systems.
Certification can also help to raise consumer awareness of security issues.  The EnergyStar program is a good example of a voluntary certification program that has benefited energy-efficient products.  EnergyStar works because energy efficiency has emerged as a consumer desire that can be represented by the EnergyStar badge.  In the case of IoT security, personal privacy may be the best selling point for a certification program.  Privacy is something that consumers directly relate to and already care about.  The security required for improved privacy would benefit safety and a number of other imporant goals as well.

No comments:

Post a Comment