This is the first in a two-part series exploring what drives weak cybersecurity in consumer IoT devices. The second part may be found here.
Cybersecurity in U.S. consumer Internet of Things (“IoT”) electronics is remarkably weak and this vulnerability is driven, in large part, from the economics behind these devices. Consumers lack the knowledge to make cybersecurity-informed purchasing decisions even if they are willing to do so – and many are not, particularly for low-end items. This means manufacturers are not rewarded for building good cybersecurity into their devices and may even be punished. Developers who take the time to build security into their devices may lose the race to the market and the advantages that come with getting a product there first. Collectively, these factors make it unlikely that market dynamics alone will improve cybersecurity in the consumer IoT market. Policy interventions will be necessary to mitigate some of these economic incentives.
The consumer IoT electronics market consists of devices designed for daily household use, whose primary purpose is not internet-enabled communication or browsing. This narrow definition cabins the analysis of the IoT sector to a ubiquitous and problematic set of products. It includes everyday goods like baby-monitors, refrigerators, and even toasters whose operation is enhanced with or facilitated by an internet connection. It excludes goods not used in the home like cars with internet capabilities or components of complex industrial systems (PDF: 3.66 MB).
This definition of “consumer IoT electronics” also excludes personal computers and smartphones. While these devices could conceivably fit within this definition the differences between these items and what is frequently described as a consumer IoT device are substantial. The largest difference is basic security consciousness: while consumer IoT is a relatively new field, computer and operating system developers have been dealing with worms and computer viruses since the 1970s. The sector, thus, has at least some experience providing baseline levels of security. For example, the basic Windows 10 operating system includes numerous features designed to reduce a computer’s vulnerability to attack. While not invulnerable, such baseline security differentiates personal computers running this software from consumer IoT, where cybersecurity is frequently near non-existent and security methods developed for traditional computers are harder to repurpose for IoT products. Similarly, smartphones like the iPhone and Android maintain a basic security awareness not present in most consumer IoT devices and, as higher end items, have substantially more latitude to build security into their products than other IoT manufacturers.
Cybersecurity deficiencies in the consumer IoT sector pose substantial risks to the integrity of the internet. Weak security makes these devices comparatively easy to compromise and recruit into a botnet, a collection of connected devices that can have devastating effects on internet security. Botnets are frequently used by malicious actors for everything from spam advertising to distributed denial of service (“DDoS”) attacks that can effectively knock websites – and internet itself – off-line.
Botnets have been around for a while but the number of IoT devices and the weakness of their security has dramatically increased the threat botnets pose. This was vividly demonstrated during the 2016 Mirai botnet attack. Tens of thousands of IoT devices with weak security were subverted into a botnet that temporarily disabled large swathes of internet infrastructure on the East Coast. Today, more sophisticated botnets continue to exploit vulnerable IoT devices.
However, harms inflicted by botnets like Mirai also help explain why market incentives have failed to drive improvement in the consumer IoT sector. Weak cybersecurity is a classic case of “negative externalities (PDF: 1.58 MB),” where the harm for a choice falls primarily on a third party. In the case of Mirai, for instance, individuals may not have been even aware that their IoT device had be subverted – the costs were born by the companies and individuals who lost internet access. Thus, while vulnerable IoT devices can harm their owners, such as when an IoT baby monitor was hacked to deliver threats to a family, the primary harms of vulnerable IoT devices fall on third parties.
Externalized harms drive down what consumers are willing to pay for security in their devices since they do not receive the benefits of their spending. This is an area that needs more research particularly since there appears to be a divergence in opinion between consumer surveys, which suggest that the public is willing to pay more for cybersecurity, and manufacturer surveys which find the precise opposite. One way to reconcile these surveys may be to note that the IoT consumer goods market is incredibly diverse. Consumers may be prepared to pay more where high-end or luxury devices such as smart home technologies are concerned, while still be unwilling to pay more for security in low-end products and those with slimmer profit margins. However, this means that large numbers of cheap IoT devices with weak security will still find their way to the market. The result is a classic “tragedy of the commons”: each consumer maximizes their individual benefit by purchasing cheap IoT devices with weak security while the Internet as a whole becomes increasing vulnerable to the threat of massive consumer IoT botnets.
Compounding these challenges, even where consumers are willing to pay, they may not be equipped to make purchase decisions that encourage manufacturers to make secure devices. Consumers remain largely unaware about good cybersecurity practices or products. Accordingly, they have difficulty buying secure products (PDF: 1.5 MB) even if that is their goal. This makes it difficult for purchasing decisions to drive out IoT products with weak cybersecurity or reward secure products.
Consumers’ limited knowledge creates what George Akerlof called the “market for lemons.” (PDF: 379 KB) This market failure occurs when consumers cannot distinguish between goods of varying quality. Sellers of higher quality goods leave the market since consumers, unable to ascertain the benefit associated with a higher priced good, do not purchase from them. The result of this feedback loop is that the market for quality goods disappears. The lack of consumer cybersecurity knowledge may make the consumer IoT (PDF: 1.5 MB) and software (PDF:119 KB) sectors particularly vulnerable to this effect.
At the same time, manufacturers have substantial economic incentives to win the race to the market or quickly to add additional features, trading security for speed in the process. Anderson and Moore documented how software development (PDF: 119 KB) is particularly vulnerable to this: the cost of weak security is externalized to third parties and consumers reward manufacturers for adding functions or being first to market. This phenomenon is replaying itself in the IoT space where manufacturers are again foregoing security in a race to get to the market. Indeed, this issue is likely more acute in the consumer electronics IoT market given the challenges of creating effective security in these smaller devices with less computing power (PDF: 469 KB).
In short, the consumer IoT electronics market stands at the intersection of two market failures: a market for lemons induced by consumers limited cybersecurity knowledge and a tragedy of the commons created by the fact that these devices externalize their major harms.
A number of strategies have been proposed to moderate these market pressures. Senators Mark Warner and Cory Gardner have proposed changing incentives through government spending with the Internet of Things Cybersecurity Improvement Act. The bill sets minimum standards for IoT devices purchased by the federal government. It is expressly designed to partially remedy the existing IoT market failure, leveraging federal spending to push the broader marketplace into better security practices. Other efforts have focused on improving consumer knowledge: IoT testing and certification programs by bodies like Underwriter Labs and the Cyber Independent Testing Lab have sought to promulgate standards and reports that will improve consumers’ ability to make better cybersecurity purchasing decisions.
However, given the systemic weaknesses in the consumer IoT electronics space, these strategies will need to be pursued with substantially more vigor by both the government and the private sector if they are to serve as a meaningful counterweight to existing economic incentives.
Samuel G. Bieler is a Student Fellow in the Program on Corporate Compliance and Enforcement at New York University School of Law.
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.