IEEE Technology and Society Magazine - June 2018 - 75

development costs in this area are high. They are more
likely to move quickly to the next, more advanced version of their models because that is where the greatest
profit lies. The performance of previous models is not
likely to concern them, particularly once they're out of
warranty. Manufacturers are also aware that consumers
who own webcams and digital video recorders used in
DDoS attacks do not personally know the victims, and
are not likely to pay too much attention to security features. In such cases, security is something that affects
people who are not involved in the transaction between
buyer and seller - an "externality" in economic terms.
Insurers should reconsider their approach to manufacturers and consumers of IoT devices. The cyber insurance
market is said to be worth $3 billion to $4 billion per year,
and is growing at 60 percent annually [10]. Companies
that sell IoT devices may need to be insured against the
possibility that their products may cause harm to their
customers, or others. Effective policy is needed to ensure
businesses that produce devices unfit for purpose, or that
are repeatedly hacked, cannot continue to do so. A business that is compromised, but has taken reasonable
steps to resolve the issue - and shows no negligence -
should be able to claim on its insurance.
Recently IoT devices have also been made available
for extremely intimate and sexual applications with
devices enabling remote logging and control [11], even
incorporating cameras. In this context other security
researchers have identified significant flaws in the
implementation of connectivity, privacy, and data management, which they argue is through the poor choice
of source code reused from public repositories [12]. In
one case privacy protections in the U.S. meant that customers could receive compensation for breaches of
their usage data after a court finding that the breach
had not been disclosed to customers.
In this context the potential for serious sexual
assault leaves device manufacturers clearly open to
adverse judgement and reputational damage even if
perpetrators of such crimes are difficult to identify
and pursue.
For these and other reasons, there may be no feasible market based solution to the issue of poor IoT security, meaning the onus may fall on regulators.

Proposal
Resolution of the security risks identified in our study is
hampered by the siloed nature of regulation that is now
becoming more broadly applicable due to the expansion of communications and forming the IoT. Functions
and objects are the responsibility of discrete government departments and regulatory agencies, but the
agencies now find themselves potentially responsible
for new areas. Further exacerbating this problem is that
JUNE 2018

∕

regulatory standards and benchmarks that apply in one
jurisdiction do not necessarily apply within another.
Medical, traffic control, and building management
systems, cameras, light bulbs and cars with driver-assist
features use an increasing number of IoT devices, yet
are regulated by separate government departments. In
Australia for example, the Therapeutic Goods Administration within the Department of Health regulates medical devices, whereas the Australian Communications
and Media Authority regulates telecommunications,
broadcasting, radio communications, and the Internet,
and the Australian Competition and Consumer Commission regulates consumer safety and fair trade. Regulating IoT devices will involve input from elements within
each of these entities, and complexity is only likely to
increase over time. The Australian government Department of Infrastructure and Regional Development regulates vehicle safety, and may require real-time access to
data feeds from vehicles using IoT devices. As driverassistance technologies develop in cars, the need for
cross-departmental attention will increase. As in Australia, today's regulatory agencies across the world were
created to respond to the rise of earlier technologies.
The coming IoT revolution will require new regulatory
expertise that cuts across the current set of agencies.
We therefore propose a more coordinated and exhortative approach to regulation. Manufacturers will
need to be encouraged to build security at the design
phase. A "security by default" attitude would see consumers having to deliberately disable rather than deliberately enable security features. A mechanism may
need to be found to coordinate software updates
among third-party vendors, and to facilitate the coordinated disclosure of vulnerabilities. Here, a role may be
found for national cybersecurity agencies, such as the
Australian Cyber Security Centre, to coordinate the
security knowledge-sharing of developers, manufacturers, and service providers.
Bodies and services that may have been exempt in
the past from regulation may also come under future
scrutiny due to the evolving need for consumer and
community protection. Because of the serious threat to
infrastructure, it is conceivable that governments may in
the future require Internet service provider networks to
comply with network security standards or meet performance benchmarks. Devices provided by manufacturers or Internet service providers to perform network
boundary roles, such as home gateways, could be
expected to come under higher levels of requirements.
This would mean devices shipped with default passwords, for example, could become a thing of the past.
Further research along the lines of the STEP model is
needed in order to continue to shed light on the burgeoning field of IoT devices.

IEEE Technology and Society Magazine

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - June 2018