By: Yan Shvartzshnaider

There is no such thing as a “bullet-proof” system. A system’s security is in a constant state of becoming. Breaking into any system used to require resources and time: the more resources you had, the less time you needed, and vice-versa. To protect your system you would want to ensure that it takes a significant amount of time (in the best case, approaching infinity) for the attacker to be able to break it.

For a while, this was an achievable goal: resources were too expensive and hard to come by for the average perpetrator to even bother with an attack. This was particularly true of well-established infrastructure. Things have changed, however. Cloud services like Amazon Web Services (AWS) allow one to span hundreds of servers with the ease of clicking a button. We connected fridges, toaster, thermostats and other appliances to the Internet, the Internet of Things (IoT). Today, one neither needs money, expensive resources nor time to mount a serious attack. In one of the most recent attacks, two teenagers were able to “coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks” from the comfort of their home, while making money in the process.

While the technological landscape has changed, the attitude of consumers has not. The market is full of unpatched devices that make it easy for an attacker to compromise the system and use it as they see fit.

In a recent blog post— Security Economics of the Internet of Things —Bruce Schneier discusses these issues and argues that we have reached a point where the government needs to intervene with adequate regulation:

IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care.

Whether or not government intervention is the correct answer remains to be seen, but we should all be grateful to Schneier for raising the question.

https://www.schneier.com/blog/archives/2016/10/security_econom_1.html