But the “stick” incentive is developing, if gradually. The Federal Trade Commission (FTC), in a report issued more than a year ago, recommended that Congress pass, “strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach.”
Beyond that, the agency said that IoT device developers, “should build security into their devices at the outset, rather than as an afterthought,” and that the process should include, “testing their security measures before launching their products.”
Vendors who fail to do that could be targeted by the FTC. Just this week, the Taiwan-based computer hardware maker ASUSTeK Computer agreed to a settlement with the agency over charges that security flaws in its home routers, “put the home networks of hundreds of thousands of consumers at risk.”
Most home routers are notoriously insecure, but the FTC’s action in this case could be the first signal that there could be government consequences for it.
Jarad Brown, an attorney with the FTC’s Bureau of Consumer Protection, noted that even without specific legislation, the failure to provide security to devices could amount to “unfairness or deception” – practices that can result in FTC sanctions.
Geer recommended several changes that would promote better security, including strict liability for developers to replace “100-page EULAs (End User License Agreements),” in which the consumer has to agree that just about any problem is not the fault of the developer or manufacturer.
He also said “independent, destructive testing” would help, and added that this may actually be in the works since UL, and major reinsurers like Zurich and GenRe, “are making some useful noises.”
Lanier is optimistic that things will improve. He noted that part of the challenge is just keeping up with the pace of technology – numerous companies have produced products like smoke alarms, thermostats and even toys for decades that never had Internet connectivity, and now they do.
“However, slowly but surely, this is changing overall,” he said. “Vendors are generally becoming more acquainted with secure development practices, vulnerability handling, and the like.”
Witten agreed. “We're working with a number of organizations to make it easier for customers to know how much security has been built into the devices and systems that they are considering purchasing,” he said.
Sign up for CIO Asia eNewsletters.