Software insecurity in IoT: A problem of our own design
True proactive security is impossible if we do not first address the root causes of our insecurity: the introduction of vulnerable and poorly developed IoT devices into society.
As businesses and individuals race to have the latest products, functionality and design, we have self-established our role as complacent victims, who are willing and often eager to act as crash test dummies for IoT, hardware and software that was knowingly developed without adequate investments in security and software integrity. By willingly increasing our reliance on vulnerable IoT, applications and systems, we have reinforced a business model that rewards rushing flawed products to market. Our continued acquiescence to their harmful practices has signaled to developers that consumers are ready and willing to assume the security risks of breached systems, vulnerable IoT products and stolen data. Compounding this paradigm is a sub-market of vendors who offer security-as-a-service which, while undoubtedly necessary, has dominated security conversations and shifted our attention away from what should be our top priority: reducing the introduction of vulnerable technology into society.
After over a decade of research, increasing media coverage and rising voices demanding cybersecurity responsibility and accountability, there is no excuse for the continued negligence of technology developers. Developers have failed to incorporate security-by-design and responsible coding practices at each stage of the development lifecycle of IoT products and other technology. While progress is certainly being made, it is not happening fast enough. Society is becoming desensitized to the short and long-term impact of breaches and vulnerable technology.
Rather than developers releasing flawed products onto consumers who must then assume the risk of potential impacts in terms and conditions and service-level-agreements (SLA), buyers need to flip the paradigm and reassert their market power by demanding change from manufacturers and policymakers. The goal should be to ensure that security is included at every stage of product development and that negative practices — such as products that provide third-party access to consumer’s systems or data without their informed consent — cease immediately.
Money and responsible regulations are strong incentives for change
One of the top reasons that IoT manufacturers do not prioritize security despite claiming to is that most individual and business buyers do not make decisions based on security requirements, but factors such as cost, functionality and design. Software developers and technology manufacturers, for-profit entities with obligations to shareholders, simply respond to client needs while focusing on the business of every business — improving the bottom line.
While it is unfair to say that security is absent from the development process and boardroom discussions, history shows us that the decision-making process is failing to deliver adequately secured IoT technology. Robust, holistic security development is difficult to accomplish because it is expensive, could slow down releases or may require proactive collaboration with competitors. Without significant incentives from consumers and policymakers, the current culture — which produces vulnerable technology and shifts risk and impact onto consumers — will not change.
To drive the change that society requires, stakeholders — including individual consumers, SMBs, enterprise buyers and governments — must be more vocal in questioning the security of the products that they purchase. They must elevate security as a pillar in the decision-making process. Users need to remember that as the buyer, they are not powerless in the face of software insecurity. During the purchasing cycle and during the lifecycle of their investment, they have the power to act on their dissatisfaction with lackluster product security. When they are negotiating a purchase or service enrollment, they can inquire about product security and practices and can choose to select a competitor if their security requirements are not met. Businesses can ensure that security liability remains with developers during SLA negotiations.
In addition to engaging with the technology community, we need responsible legislation which places meaningful regulations on the industry. While imperfect, health safety has improved through regulations, the financial sector is governed by consumer protections, and the transportation sector is regulated by security standards. At the same time, the software development sector remains conspicuously unregulated and ungoverned despite having a significant impact on every facet of daily life in America, including our national security apparatus. Users of every level can engage with their representatives in the legislative community to inform them that cybersecurity is a constituent concern and create momentum for action.
Through the combination of a bottom-up approach — for example buyers exerting their influence — and a top-down approach – such as meaningful policy, requirements and regulation –, we can course-correct our culture of software insecurity, which is contributing to insecure IoT devices. Through these actions, we can begin to combat the cybersecurity epidemic plaguing American firms and citizens by remediating the fundamental cause of the problem: software insecurity due to negligent development practices.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.