The power of (your) invisible hands: could we create a security and efficiency incentive that works?
I'm a big fan of "the invisible hand", an economics concept coined by Adam Smith. The concept is that your individual selfish action can cause (good) social benefits elsewhere. An example would be putting a $0.05 tax on a plastic grocery bag. You being the cheapskate you are now reuse bags, and that causes a huge benefit for the environment and society. It was't about raising that $0.05/bag for revenue, it was about people suddenly seeing that bag as a cost.
Now, lets talk about two of my favourite domains... the security (or lack thereof) on the army of IoT devices that inhabit our lives, and, the huge ongoing maintenance effort associated with them. Could we apply an invisible hand to make society safer and more efficient?
Look around your house, do a nose-count. How many devices are somewhat Internet-enabled? Smart-tv? Tablet? Receiver? Stereo? Thermostat? Alarm? Various kids toys? Drone? Cat-feeder? Dog-treat-launcher? Car? Smart-Speaker? Security Camera? It doesn't take long to get 30+.
Now, ask yourself, honestly. When you bought all that, did you look at each vendor critically from a lens of:
- which has better security practises (and thus is likely to be more secure in the long run)
- which was easier to manage/upgrade in the long run
Of course you didn't. Instead you used 'features' and 'cost'. You have no means of even evaluating those other items.
Now, what if, there were some way you could evaluate those two things, and, vote with your wallet? This would have a dramatic affect on the manufacturers.
First, lets talk about one of the extremely inconvenient truths about the consumer IoT gadget space. The business model. As a consumer, you want to buy it once, own it for life, and not have an ongoing fee. And this is a huge disincentive to stick around and make a device secure for life. it creates the flip-side behaviour of 'develop it fast, get it to market, and move on while selling it'. Any development post initial sale is seen as a waste of time, a cost.
Now lets talk about that second inconvenient truth. Management. Its hard to make things easy to manage. That same business problem above, as a manufacturer, I can just shift all the costs to you with complex upgrade approaches.
Now, lets look at a device which has a pretty good track record here. The Nest Thermostat. Or its better cousin, the Ecobee. They are pretty strong in the 2nd category (they upgrade themselves automatically). And, we have not yet seen them be hacked, so presumably strong in the first categoy. One of the 'bellwether' things I look for is how often things are upgraded, and, if we look at my Nest, it was upgraded 2 hours ago! All by itself.
So why black out the serial/mac? Well, its because the security is somewhat opaque. Yes I think Google cares about security, yes I think they have strong practises. But, no one really knows how this device works, perhaps there is some backdoor that uses something calculated from the two.
So how would I score these devices? 9/10 on management, and 6/10 on security. How would I make that 6 be a 10? Well, transparency, a published policy on 'what will we do when we give up patching', 'how long will we patch', etc.
So, could we construct a score, something the typical consumer could internalise, and allow them to vote with their wallet? E.g. if two similar price/feature devices, one is cheaper to run and more secure, that manufacturer would be rewarded? Many say this is too complex to understand. But, well, nutrition labels took off, and they are not simple. EnergyStar took off. So yes, voluntary labelling, and consumer awareness, have had positive affects in other complex areas of industry.
Any input on what factors one would look for?
- Lifecycle policy (how many years will this be supported)
- End-of-life policy (will it be open-sourced? bricked?)
- Update cycle (how often, how quickly in response to problems)
- Is the firmware signed? How are the keys managed? Is there an external 'ca' that manages? Is that audited? Is there 'transparency' on the keys issued?
- Versions of software installed, is there a list made available of all the components?
- ISO 27001 facility?
- Secure-by-default? Or well-known initial password?
And for ease-of-use (which is coupled with security in my mind, after all, how often do you update the complex devices? Not often you lazy sod!)
- Is it automatic update, on-by-default?
- Warning if updates fail?
- Does it work the same way 'the other devices' do, or is it different?
I think there are some business opportunities here:
- CA/signing authority for 3rd party firmware
- Blockchain... sign the chain of software (e.g. linux-kernel->libc->libssl->nginx->camera app)
- Standardised 'update as a service', some modular method each piece can be independently upgraded (e.g. upgrade OS vs app)
- Standardised 'get initial WiFi SSID and password' configured instead of all the weird and wonderful apps to 'find' your new device
- 3rd party monitoring/audit/certification
Others? The next stage in this grand-master plan would be, after launch of the score, and consumer education, we'd start to charge a 'tax' for the weak products. And then Darwin would take over!