In a recent blog post, Security Economics of the Internet of Things on Schneier on Security, security expert and cryptologist Bruce Schneier describes economics related to securing IoT devices. The post was written due to unprecedented DDOS attacks against investigative security journalist Brian Krebs and his web site krebsonsecurity.com.
Schneier describes an interesting situation in IoT security where neither the purchaser or seller has a business stake in security quality. As a result, IoT security across industry is very weak or non-existent. This is far different than the smart phone or computer markets where there is strong business interest, security patching, and devices are replaced every two to three years. Schneier notes weak and sometimes non-existent IoT security creates an “externality”, a sort of invisible pollution, impacting many individuals and businesses broadly. So while purchaser and seller don’t share a business interest in security quality other innocent parties may be harmed by those decisions which is like environmental pollution. Schneier takes a strong stance describing IoT security as a market failure and that government involvement is the only way to correct failed markets.