Bruce Schneier: We Need To Save the Internet From the Internet of Things

Bruce Schneier, writing for Motherboard:What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the internet as part of the Internet of Things. Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.

The only way this will get fixed

[Registered+Coward+v2]

is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business. Otherwise, as TFA points out, they had no reason to bear the costs of fixing the problem since it doesn't impact them. Until there is a significant cost associated with making an insecure device they will remain insecure. That's also one of the problems with the internet, there is no way to block access from insecure devices when they become part of a BotNet. If their was, and manufacturers suddenly got lots of warranty calls when it stopped working they might actual care about security.

Re:The only way this will get fixed

[DickBreath]

Maybe the cost needs to be a government fine. That way it has a guarantee of financial impact. No uncertainty about whether a lawsuit will be filed, or whether it will be won. And a private party does not have to bear the cost of initiating the lawsuit.

Simply have a statutory damages for manufacturing an IoT device that has been used in an attack. The device you made was used in an attack. You have to pay the fine. Simple as that.

Now to make devices more secure there could be something like a process of getting an "Underwriter's Laboratories" type seal of approval. The seal doesn't mean an appliance won't burn your house down, just that it is very, very unlikely. Unlikely enough to suit the insurance underwriters. Which raises the subject of insurance -- for liability of getting fined for building an unsafe device.

It seems like this would work. Just like electrical devices are pretty safe -- even though manufacturers have a built in incentive to build them as cheaply and unsafely as possible.