From Silicon Labs - Tragedy of the commons: Why IoT regulation may be a necessary evil

What can sheep teach us about securing IoT? To understand the dilemma represented by the need to have secure devices, think about the problem in terms of collective ownership, like sheep grazing in a commonly owned pasture.

In 1968, an evolutionary biologist named Garret Hardin published a paper in the journal Science with the title “The Tragedy of the Commons.” In it, he described a scenario in which the land provided adequate sustenance for the herd, so long as the number of sheep was kept in check. If each person who grazed on that land acted in their own self-interest and increased the number of sheep they sent to pasture, the land would eventually become insufficient to support the population and, in turn, would be overgrazed to the point where it would it would be unable to support the community that relied upon it. The problem stems from the fact that no single entity in the community is incentivized to take care of the pasture and, as a result, everyone suffers.

Over the past 10 years, the internet has seen an explosion of connected devices that can deliver YouTube to your various screens, unlock doors, adjust temperature from a distance and transmit energy usage to your local utility. And just like the pasture, the internet is a “commons” that has benefits and drawbacks because no one controls it.

While we all benefit from the comfort and convenience afforded by smarter, connected devices, the lack of security of these same devices comes with a downside. Though certainly not an isolated case, the Mirai attack occurred in late 2016 and used IP security cameras that were only secured with a default factory password that could not be modified. These cameras could not be secured by users even if they wanted to do so. The hackers in this case patched the security hole, presumably so no one else could take control of the password, and exploited it to take control of the IP cameras, using their bandwidth to bring down one of the biggest name services on the internet. These name services are the equivalent of the Yellow Pages of the internet. Web services rely on them to talk to one another. The attack caused several high-profile services like Twitter, Netflix and Reddit to go offline and infected an estimated 500,000 devices.

The question at hand is this: Who is incentivized to secure IoT? Should the companies producing connected chips be responsible for enabling secure devices? Should responsibility fall to the manufacturer of the devices, like the folks who make thermostats or cars? Or do we need government regulation to set the baseline for what is acceptable?

To have the government look at IoT security would mean someone is taking responsibility for management of the “internet commons,” but there are challenges on both sides of regulation. Too much has consequences, as does too little.

In a scenario where there is overregulation, the government could go the route of specifying that IoT products require certification and include advanced security features. An IP camera might require a sophisticated and hardened remote management system to upgrade the security during the product lifecycle. The camera’s manufacturer would be required to go the extra step of certifying for security, beyond the UL and FCC certifications it is likely to receive today. A certification typically goes beyond product features, and would require an organization and processes to handle the security for the lifecycle of the product.

All this extra security and certification adds cost and lengthens the time it takes for a product to get to market. For large companies and expensive products, this may be manageable, but it does present barriers to entry for small companies or low-cost/high-volume products, such as connected lightbulbs or window contact sensors. And a lot of the innovation comes from small companies with new ideas, so barriers of entry clearly thwart innovation.

On the other hand, if we stay in a mode of no regulation, the Mirai attack would likely be the first of many. In this scenario, the cyber arsenal of countries could increase exponentially as new IoT devices come online, to the point where the threat of a ballistic missile strike from a rogue nation is easier to understand than the hidden danger of embedded devices being controlled by a hostile agent. Hackers are known to gain control and wait for an opportune time to strike. By accessing billions of connected devices at a granular level — lightbulbs, security cameras, hospital equipment — hackers can be more targeted in who, when and where they attack. This capability has a price that can be sold to the highest bidder and could spawn a black market economy in extortion at levels we’ve never seen.

The tools are out there to take control of a variety of connected IoT devices. Recently, a series of documents released by WikiLeaks, called Vault7, details the specifics on tools stolen from the NSA. The toolbox it released contains hacks for phones and computers, as well as smart TVs and popular internet browsers. That toolbox is likely to expand as more device vulnerabilities are discovered.

In fact, a year ago the exclusive Austrian hotel Romantik Seehotel Jaegerwirt was subject to a ransom event when hackers took control of the connected door locks and held out for payment. The hotel has plans to retrofit now with mechanical locks.

We know today that hackers have access to the U.S. energy grid and there are teams wrestling with how to close security holes, but billions unsecured connected devices provide bad actors with vectors of attack that are nearly impossible to anticipate and defend against.

The dilemma is clear. Too much regulation could slow innovation and increase cost for the IoT. Too little and the price for IoT connectivity will be too high for widespread adoption.

So what is the right level of regulation? It’s likely to be a balance of security versus acceptable risk. Today the U.S. government is urging semiconductor vendors and manufacturers of IoT devices to take cybersecurity into consideration during the design phase. It is also advocating for post-sale and lifecycle monitoring of connected products to detect and guard against vulnerabilities.

As the government is on the verge of requiring minimum security for connected devices in Federal buildings, it seems to be counting on the purchasing power of the government to be a force for change. As regulations for IoT security are developed, here are three principles we’d like to see applied:

1. The government should be proactive about planning for regulation. Politics are intrinsically reactive, but it would be best to ensure regulations are not a knee-jerk reaction to high-profile hacks or newspaper headlines.
2. Regulations and requirements should be vetted and widely communicated by laying out a roadmap and creating a cadence of updates to regulations. In this way, product design cycles can anticipate changes and adapt.
3. Any regulation should be done with a global perspective and market alignment. Many IoT devices are made for global markets, and if every country invents its own regulations and requirements with subtle differences, it will become very expensive and unmanageable for most companies to comply.

Done well, government regulation can make us all sleep better. Without the need to count sheep.