(770) 765-3478 [email protected]

Daniel Castro, VP, ITIFLast week, hackers launched the largest distributed denial of service (DDOS) attacks in history against the Domain Name System (DNS) service provider Dyn, taking offline many of its high-profile customers, including PayPal, Twitter, Reddit, Amazon and Netflix.

Not only was this attack massive and sustained, it also made headlines because the botnet it used to take Dyn down consisted of DVRs, webcams and other connected devices that make up the “internet of things.”
In the wake of this event, many policymakers are left wondering what, if anything, they can do to prevent future attacks and how they can make the burgeoning internet of things more secure.

Fortunately, there is a relatively simple step that Congress could take to jump-start cybersecurity in the fledgling internet of things: require companies to publish a security policy.

Most companies today publish a privacy policy. While multiple studies have found that the average consumer does not read these policies, does not have time to read these policies and does not even know what a privacy policy even is, privacy policies are useful in that they create transparency for those who are interested in the privacy practices of an organization.

This transparency in turn creates accountability and oversight from privacy-sensitive consumers, competitors, consumer advocacy groups, reportersand regulators. The Federal Trade Commission (FTC), in particular, has actively monitored the privacy practices of the private sector and held companies accountable for adhering to their stated practices.

The overall result is that companies in the United States have a significant degree of autonomy and flexibility in how they collect and use personal data, which has allowed innovation to flourish, but they still must answer both to their users and to government regulators.

While some privacy policies discuss security, these appear to be the exception rather than the rule. As a result, most companies are not held to the same standards for security that they are held to on privacy.

Instead, the FTC has held companies to vague standards and gone after companies that do not implement “reasonable security” measures — an ambiguous target that likely leaves companies scrambling to avoid regulatory penalties rather than improve consumer security.

While the FTC attempts to provide guidance, these resources can perhaps best be described as “regulation by buzzword.” The FTC helpfully reminds companies to use a “risk-based approach,” implement “defense in depth” and always do “security by design.”

Moreover, an absence of published security policies creates the type of information asymmetry that creates inefficient markets. Consumers (or tech-savvy reporters or consumer advocacy groups) cannot easily differentiate between secure and insecure products.

Without this differentiation, there are weak market signals to reward companies for investing in cybersecurity or allow more secure products to gain market share. While many large companies still invest in information security as a matter of principle, there are still countless others who make products and services without the same level of commitment.

Many of the problems that we see are companies failing to implement basic security practices, such as using hardcoded passwords, sending data without encrypting it or using poor authentication protocols.

By publishing security policies, companies would be motivated to describe the types of security measures they have in place rather than just make vague claims of “we take security seriously” — especially as their competitors begin to do so.

Consumer Reports, for example, is unlikely to recommend a smart refrigerator that does not encrypt its communication.

Publishing security policies would give individual companies the freedom to manage risk as they see fit, as they would not be required to implement specific government-imposed security features.

But by being more transparent about their practices, consumers could make more informed decisions. And if companies fail to uphold their stated practices, and these failures are either intentional or result in actual harm, then regulators like the FTC could take swift enforcement action.

As the Information Technology and Innovation Foundation (ITIF) has argued before, the United States, like most other countries, has a schizophrenic approach to cybersecurity that is broken and ineffective.

The current policy emphasizes relative security over absolute security. Nations want to be able to hack in to the systems of their adversaries, but they do not want their own systems to be vulnerable.

So rather than working together to improve global information security practices for everyone, nations spend billions to penetrate systems and horde zero-day vulnerabilities.

This needs to change.

But in the interim, there is at least one concrete step policymakers can take to begin to change the security practices of the private sector and help pave the way for a more secure internet of things.

Daniel Castro is vice president of the Information Technology and Innovation Foundation, the leading U.S. science and tech policy think tank.

Follow him on Twitter @CastroTech.