Solving the IoT mess
/Recently Bruce Schneier, one of the best cryptographers working today, testified before Congress calling for a new Federal Agency to oversee Internet security.
Schneier was reacting to the pitiful security state of the so-called Internet of Things. Low cost computers designed to fill one or a few roles -- security cameras, refrigerators, and so on. These have been harnessed by bad actors to create huge, remotely controlled, networks capable of bring down one or many Internet sites on demand and conceivably compromising security in more dangerous ways.
He has rightly concluded that the "market" was not able to address the problem because it is complex, crosses technical, organizational and national boundaries, is largely invisible to consumers and will cost money. All but the most sophisticated individual companies are not motivated or capable of addressing the security of their own products, let alone those of other companies. Even market-leading companies like Cisco allow flaws in consumer products like routers -- which most of us use as firewalls -- to persist without a fix.
Schneier called for government intervention to address the issue -- specifically a new agency focused on the security and trustworthiness of the Internet. Not surprisingly, there are many voices opposed to this, ranging from libertarians who would see it as a government takeover, to jaded citizens who just don't believe the government is up to the task.
I would like to make a humble recommendation. I think that there is a two-part solution that involves government, but in a limited way. What if we established a not-for-profit technical center, similar to the Underwriters Laboratory, which would review and certify a product? This certification would include the following:
- A review process that looks at how a company designs and supports a product. This would include
1) the state of the current software/firmware (no hardcoded master passwords, no poor or homemade crypto, etc.)
2) a useable remote updating process,
3) transparent reporting of bugs and their fix status, and
4) a track record of quickly responding to significant vulnerabilities
- A seal of certification, with a date and serial number that is displayed prominently on the outside packaging (the date gives the consumer a hint that the certification may be aging and should be confirmed).
- A website where anyone can look up the serial number and confirm the certification status and the open issues for this product.
Now for the government side. There could be a law making the fraudulent display of the Seal a felony. I personally think it should prison time for egregious actions. We may also want to make retailers liable for failing to minimally check the status of the products they sell. In addition, we should integrate into the process a review of imports, not allowing any product into the market with a Seal that cannot be confirmed.
This two-part system gives us several advantages.
1) It makes visible the good actors, helping the consumer understand why Product A costs $50 more than Product B. This will allow the market to work more efficiently.
2) It give the world's informal IT support system -- people like me and probably you -- a simple message: "I don't care which router/phone/refrigerator you get, just make sure it has this seal and that it's dated within the last year." For those slightly more technical: "Go to this website and look up the serial number of the Seal. It will tell you what you need to know."
3) It provides real teeth for the bad actors, those who would try to counterfeit the Seal either by punishing them directly or shutting down their access to the US market.
Obviously, this would need some work. The certifying organization would need to be established and funded, the laws would need to be coordinated with certifying organization's actual capabilities. But the well-meaning companies have a vested interest in differentiating their products visibly from the bad guys and so may be willing to help fund it. And given the pressing public interest, I can see an argument for taking the legal steps needed and conceivably for contributing to the organization.