by Samuel G. Bieler

This is the second in a two-part series exploring what drives weak cybersecurity in consumer IoT devices. The first part may be found here.

Poor regulation of the consumer IoT electronics sector compounds the negative market incentives discussed in the first part of this series. While standards for IoT devices are taking shape in some sectors of the U.S. economy, no similar regime has been developed for the broad consumer IoT electronics market. Moreover, little expert consensus has developed as to what such a regime would look like even if the political will existed to implement it. Such a regime would also have to contend with the challenges of regulating a market where many key actors are overseas. These challenges need not pose an insuperable barrier to developing a sound regulatory regime but do suggest that far more thought needs to be put into understanding what IoT regulation would actually look like. Continue reading →

by Samuel G. Bieler

This is the first in a two-part series exploring what drives weak cybersecurity in consumer IoT devices. The second part may be found here.

Cybersecurity in U.S. consumer Internet of Things (“IoT”) electronics is remarkably weak and this vulnerability is driven, in large part, from the economics behind these devices. Consumers lack the knowledge to make cybersecurity-informed purchasing decisions even if they are willing to do so – and many are not, particularly for low-end items. This means manufacturers are not rewarded for building good cybersecurity into their devices and may even be punished. Developers who take the time to build security into their devices may lose the race to the market and the advantages that come with getting a product there first. Collectively, these factors make it unlikely that market dynamics alone will improve cybersecurity in the consumer IoT market. Policy interventions will be necessary to mitigate some of these economic incentives.

The consumer IoT electronics market consists of devices designed for daily household use, whose primary purpose is not internet-enabled communication or browsing. This narrow definition cabins the analysis of the IoT sector to a ubiquitous and problematic set of products. It includes everyday goods like baby-monitors, refrigerators, and even toasters whose operation is enhanced with or facilitated by an internet connection. It excludes goods not used in the home like cars with internet capabilities or components of complex industrial systems (PDF: 3.66 MB). Continue reading →