The following op-ed was co-authored by R Street Tech Policy Associate Joe Kane.
A surprising number of everyday devices are now connected to the internet. And it’s not just your Amazon Echo or Google Home; it may be your thermostat, your car, or even your toaster.
These devices, and many more like them, make up the “internet of things” (IoT). Though new, these devices are proving quite useful to businesses and consumers. However, the proliferation of billions of new connected devices also presents novel security threats that demand serious attention.
IoT devices create opportunities for bad actors to commandeer devices and use them for nefarious purposes — like temporarily disabling major websites. These incidents have triggered calls for government to proactively regulate IoT security.
Yet, as we argue in a recent policy study from the R Street Institute and Internet Governance Project, market-driven measures are better equipped to address these challenges.
The rationale for avoiding government involvement is twofold. First, the government regulations currently contemplated, though appealing in theory, may forestall necessary security updates and act with an overabundance of caution. Second, private mechanisms already show promise in responding to vulnerabilities.
Though perhaps counterintuitive, government regulation in the form of pre-market approval or particular design requirements would leave firms poorly situated to respond to evolving threats that necessitate real-time response. Far from being built for speed, government regulatory processes are intentionally slow. In the context of IoT security, delay is costly; rapid updates to devices and software are essential to repair vulnerabilities and respond to attacks.
Thus, requiring government entities to approve updates before rollout may do more harm than good. It could lead to scenarios in which the damage caused by an attack compounds while bureaucratic deliberations grind on. Pre-market approval systems, in particular, are prone to potentially harmful delays; in the context of medical devices, pre-market approval systems often delay device deployment by more than 20 months.
Another fundamental limitation of the public sector is the inability of governments to rely on market signals the same way private firms do. Governments are not disciplined by profit and loss because their revenue is a function of taxation, not market exchange. Thus, while expending more resources can always marginally increase security, government is not well equipped to evaluate whether the cost of that regulation is worthwhile. And the proper scope of intervention is hard to calculate without using market prices and profit/loss feedback.
The second reason for avoiding government intervention in the realm of IoT security is that private firms have already forged ahead on providing solutions. Services like Microsoft’s Azure, Amazon’s AWS IoT and Google’s Cloud IoT Core provide trusted-device registration and allow users to control how their devices interact.
Besides having the right incentives to optimize for accessibility and security, these private platforms can also cross borders more readily than jurisdictionally-limited governments. Thus, private firms can maintain both the security of individual devices and the system as a whole. Profit motive also pushes these firms to register as many devices as possible. By aligning incentives and bypassing barriers, these private registries are more likely to foster optimal security arrangements than government-mandated ones.
Cyber insurance is another promising, private option for IoT security. Since their money is at stake in securing IoT systems, insurance companies carefully review potential clients’ risk before writing policies. Once written, policies may require insured parties to maintain security best-practices and practice good cyber hygiene, like completing regular updates and crafting secure passwords, to keep their coverage. Annual renewal procedures also provide a recurring opportunity for both insurer and insured to reassess their preparedness.
Like all technological developments, these market-driven measures are still fairly young but are growing rapidly. In some sense, the IoT field of today is akin to the fledgling PCs of the 1980s and the smartphones of the early 2000s. Security for those devices started weak but grew stronger over time not because of government regulation, but because manufacturers learned more about threats and how to respond to them. Likewise, the well-meaning yet ill-equipped government should not stifle the IoT security market’s potential for growth.
IoT security cannot afford to move at the speed of government. Only by harnessing market driven measures can we can enhance both the security and the possible benefits of the internet of things.
Image by Charles Brutlag