Who is responsible for IoT security? What about implied warranties?
There are increasing concerns around the security of devices on the Internet of Things given the recent weaponization of many devices to launch DDOS attacks. The specific issues involved poor design and default configurations. Should security be baked in or bolted on after the fact?
Bolting security on after-the-fact, as I read in a recent Wall Street journal article, might be likened to retrofitting a 65 Mustang with airbags. Perhaps the analogy is too extreme although it does emphasize the difficulty and challenges around retrofitting security into an existing product instead of building it out during the design and development phase. Developers, and most likely the companies that sell the devices, would argue that security is the responsibility of the end user to change default passwords and configurations as well is ensure that regular patches are applied keeping the device software up-to-date. But is such end user maintenance realistic or reasonable?
Consumers already live a busy and hectic lifestyle. Connected devices are becoming increasingly a part of every day life. The sheer volume of time and effort required to continually maintain connected devices on the Internet of Things is arguably an unreasonable expectation for a consumer. In essence we would be expecting every consumer to be a system administrator of their refrigerator, thermostat, and every other automated home device which may be connected.
So who is responsible and how do we solve these challenges? Government regulation may be part of the solution but cannot be the only solution. It would be nearly impossible to solve this widespread problem through government mandates and regulation. Government regulation should be focused on areas aligned with general product safety standards as is the case with almost every other consumer product.
It is my view, and others may argue differently, that the business producing Internet connected devices be held accountable for the security of those devices. This is not an unreasonable position to take because I believe we already have the foundation for such a position in the non-connected product world.
There are two areas which lead me to this conclusion: (1) implied warranties, and (2) value.
To be fair, I am not a lawyer and those who are lawyers may offer additional color on the implied warranty point. In addition, implied warranties may be different between different States. As we will see in a moment discussing value, implied warranties address fitness or purpose. While a written warranty articulates workmanship and quality, implied warranties ensure that a particular product is fit for purpose.
Fit for purpose is a component of value. Those familiar with ITIL will recognize that business value equals utility plus warranty. Utility is a another way of stating fit for purpose. Warranty (In ITIL) addresses capacity and availability. Hence, a product must be fit for the intended purpose for which it is used. For example, it is implied that a refrigerator will keep food cold. It is also implied, that a vacuum cleaner will have sufficient suction to clean the floor. Why would it then not be implied that a home product which is connected to the Internet be secure? The security and safety of an Internet connected device are very reasonable expectations for consumers. Consumers would not necessarily expect that their Internet connected refrigerator could be easily hijacked out of the box anymore than they would expect there vacuum cleaner to explode when plugged in.
Besides government regulation, and implied warranties for Internet connected devices, the third leg of the stool would be commercial liability. Manufacturers and producers of defective devices should be held accountable for those defects and accountability should be enforced by a combination of regulatory bodies and civil litigation. In the same way as Ford Motor Company was held accountable for exploding gas tanks when it’s Pinto models were struck from behind, manufacturers of poorly designed consumer devices intended to connect to the Internet should reasonably be held accountable when those devices are easily compromised leading to widespread disruption.
What do you think?