But several IoT experts said that while FTC complaints are a valuable tool, they would not be a magic bullet any more than various “best practice” standards or other initiatives have.
Dan Geer, CISO of In-Q-Tel, who has written and spoken widely on vulnerabilities in the IoT, said he thinks even though information sharing is “a messy topic,” it has to exist at some level for real progress to happen. He and Richard Danzig, senior adviser to the Johns Hopkins University Applied Physics Lab, recently argued in an IEEE Security & Privacy article that there should be no "silent failures" – that those who are breached should share useful information about it.
“If we are to learn from failure we have to know about it – not allow it to be silent,” Geer said.
Of course, there is widespread resistance to that, since companies fear brand damage and the possible exposure of intellectual property if they are too transparent about breaches. But Geer said the industry needs to find a way to do it. “I don’t see how we make progress if we can't keep score, and the score I'm thinking of is pretty simple: How often were you attacked where there was at least some measure of success?” he said.
Daniel Castro, vice president of the Information Technology and Innovation Foundation (ITIF) said he believes the route to better IoT security has to include both effective consequences for bad security and better rewards for good security.
He doesn’t object in principle to the enforcement actions by the FTC. But he said the “reasonable security” standard is too vague, yet if it gets too specific and detailed, it might stifle innovation.
“If people are looking just to put a proof of concept out there, they might not do it if they have to spend too much time and money on security,” he said. “Plenty of people would say that’s just too much. You can’t do it one-size-fits-all.”
He agreed that consumers have a right to expect connected devices to be “safe.” But he said consumer awareness is not yet at the level that would affect the market.
“One question is, how do you make it so the consumer considers" security in deciding what to buy, he said. “Right now, there is still no incentive for making it a priority.”
Jim Rapoza, senior research analyst and editorial director at the Aberdeen Group, is one expert who thinks consumer awareness is growing. “Even now, if you look for some devices that have been implicated in security issues – such as some nanny cams and home security devices – you can quickly see from reviews on retail websites that there are issues,” he said.
Sign up for CIO Asia eNewsletters.