The Free Market Won’t Fix Botnets, Government Report Says

The current booming market for internet-connected devices, such as cameras, thermostats and home assistants, doesn’t sufficiently incentivize companies to secure their smart products or penalize them when those products are breached, according to a draft report released Friday by the Commerce and Homeland Security departments.

The result is that connected devices are easy prey for hackers who can recruit them into armies of zombie computers known as botnets. Those botnets, in turn, can force websites and services offline by spraying them with overwhelming traffic.

Cyber watchers have long complained that so-called internet of things devices are frequently difficult to patch when manufacturers discover new vulnerabilities in their software. They’re also frequently not secured by passwords or outfitted with default passwords.

That problem isn’t going to get better on its own, according to the draft report, which is scheduled to reach President Donald Trump’s desk later this year.

“Market incentives motivate product developers, manufacturers, and vendors to minimize cost and time to market, rather than to build in security or offer efficient security updates,” the report states, adding that “there has to be a better balance between security and convenience when developing products.”

For the most part, however, that “better balance,” does not include regulators imposing new burdens on connected device manufacturers, according to the 68-page report.

Instead, the government should create market incentives that increase return on investment or lower costs for industries that adopt better security practices, the report states.

Government should also urge industry to adopt security baselines for connected devices and promote those baselines internationally through bilateral agreements with other nations, the report states.

The report does envision regulators, such as the Federal Trade Commission and Food and Drug Administration, taking enforcement actions against companies that fail to meet established security benchmarks or that falsely advertise that their products are more secure than they are.

Those recommendations are in line with previous government cybersecurity reports, which have generally shied away from promoting direct regulation.

The report responds to a directive in the president’s March executive order on cybersecurity.

It was compiled through a series of meetings and public comment calls by Homeland Security’s National Security Telecommunications Advisory Committee, and Commerce’s National Telecommunications and Information Administration and National Institute of Standards and Technology.

The report is open for public comment for 30 days.

The report also recommends that:

• The connected device industry should create a voluntary labeling system to tell consumers which devices have been vetted and deemed secure.
• Industry should develop a similar labeling scheme for internet-powered devices that run industrial control systems, such as dams and energy storage and distribution systems.
• The government should perform targeted research to make software coding more secure and sponsor competitions for researchers to create secure software development systems.
• The government should also establish a public awareness campaign to help consumers understand the importance of connected device security.
• The federal government “should lead by example” by demonstrating the practicality of security tools it wants industry to adopt.
• The connected device industry should aim to “maximize security while reducing or eliminating security knowledge requirements” for the consumers who buy their products.
• Internet service providers should share more cyber threat information with each other, both domestically and internationally, to stem botnets before they cause damage.
• ISPs should also share more information with law enforcement officials so they can more readily disrupt botnets.