In which we need to save the internet from ourselves
edited January 05 2017

There's a new liberalism that requires me to disclaim up front that, no, I'm not an anti-regulation wing nut or an oblivious fan of the free market.

So, for background, today's threat to life as we know it is the Internet of Things. A staggering number of embedded, network-connected, insecure devices was recently used to shut down access to Brian Krebs' security blog for a few days. It was a hysterically large DDoS, the largest in history, right up until a few days later.

Bruce Schneier has responded by saying that this is a problem that can only be solved by regulation:

What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.

Schneier has been sounding the alarm on IoT security for a few years now. It genuinely is a shame that nobody's really been listening.

But I think his call for regulation is a bit shrill, misguided, and lacks some perspective.

From a historical standpoint, this isn't yet a problem that demands a solution. mafiaboy shut down a slew of major sites in 2000, and 15 years later, DDoS is a tool for ransom. This isn't an argument that an internet of insecure things attached to larger and larger internet connections doesn't make this a more severe problem ... but the internet is amazingly adaptive. As new vulnerabilities are found, targets find new ways to mitigate them. This has been happening for decades now, and the motivations that Schneier talks about haven't really changed in that time period.

Schneier argues that it's different because the companies producing an internet of insecure devices don't have the resources required to produce better hardware:

Our computers and smartphones are as secure as they are because there are teams of security engineers working on the problem. Companies like Microsoft, Apple, and Google spend a lot of time testing their code before it's released, and quickly patch vulnerabilities when they're discovered. Those companies can support such teams because those companies make a huge amount of money, either directly or indirectly, from their software—and, in part, compete on its security. This isn't true of embedded systems like digital video recorders or home routers. Those systems are sold at a much lower margin, and are often built by offshore third parties. The companies involved simply don't have the expertise to make them secure.
What he doesn't explain is how legislation is going to fix this particular problem. If there were some practical way for the victim of a DDoS to sue the producers of IoT devices -- and there isn't, and I'll come back to that in a moment -- how does that translate to higher margins and development budgets for these devices?

The history goes that, even with their massive budgets, Apple and Microsoft and others simply didn't care about security for a long, long time. Oracle still doesn't (looking at you, Java). Adobe still doesn't (hello, Flash). Those companies didn't start improving the security in their products because of legislation or because of consumer interest, which is still nonexistent, but because they became a target of ridicule among industry professionals.

The trend seems to be that a new technology hits the market, and many different approaches to engineering that technology come along with it, and gradually the technology adopts fewer and fewer standards and portions of it die out and eventually you get a reasonably common technology platform. Sometimes regulation is an important part of this process (automotive safety and emissions standards, I love you!), and sometimes it isn't (hi jQuery). I predict that a common software framework is going to precipitate out of the IoT market long before Congress could find its own ass, and that major vendors that don't adopt that framework or something similar are going to be shamed by the industry until they do.

From a cost perspective, this isn't yet a problem that demands a solution. Phishing costs individual enterprise businesses around $3.7 million per year [pdf] (maybe). 419 scams cost billions of dollars per year. Run of the mill spam costs billions more every year. The cost of DDoS attacks by internet of dumb things pales in comparison.

From a practical point of view, it's hard to imagine that the government that brought you "the internet is a series of tubes" and bandwidth caps and protections for major telecommunication companies that have been bending consumers over for decades and draconian copyright protection laws is capable of drafting legislation that could provide effective relief to DDoS victims without doing even more damage to the internet as a whole.

Let's start with identifying the source of these attacks. Judges have recently found that IP addresses are insufficient proof of copyright infringement. This is good. Any legislation that would provide an avenue for lawsuits from DDoS victims would necessarily run afoul of these rulings: to find liability, internet traffic from an IP address would have to be sufficient proof of fault.

Is that the internet you want?

Maybe it would be enough to establish standards for security compliance in device manufacturers. Sure, okay, I can almost get behind that, but we're talking about the same government that has produced legislation for HIPAA compliance, PCI DSS, and PII regulations, and these are a mess. Some of it is good. Some of it is useless and burdens smaller business with unreasonable costs. And in any case, these regulations have altogether failed to even slow down the rate of compromise of personal information.

I would like to see a carefully drafted proposal that addresses these issues and makes the case that regulation is necessary for this problem at this time. I'm not imaginative enough to see how to legislatively fix the Insecurity of Things without making the situation worse for everything else, so until someone else figures that out, I think we'll all be a lot better off if we continue to do what the internet has been so very good at doing for decades already:

come up with a technical solution.

(And my proposal for that is to further decentralize the internet, and come up with a publishing system with built-in distribution. There's no reason why I should have to pick up Brian Krebs' content from one particular group of servers; I should be able to pick it up from any of millions of devices. Y'know, like nntp did so very long ago.)