Who’s in charge? The written and unwritten contracts between the consumer, the manufacturer and the state

When you purchase an electronic device, how do you know it will work? How can you be sure that it will not harm your environment or even your safety? How can you know that the device will not be used as means of espionage?

It goes without saying that in our current reality, consumers purchase a multitude of different electronic devices. For some, these have become a key tool for their work and day-to-day functioning, and there are even people who consider their smartphone to be an extension of their very body. As such, the question as to whether we can trust these devices should not be taken lightly. The following article aims to present three ways in which this issue is being dealt with.

Brand-based trust

No matter where you are in the world, if you’re hungry you know that you can look for the local golden arches and eat there without a concern. But what makes us so sure that their food is good? How do you know that you won’t get food poisoning? The answer is that we trust the brand: we know that no matter where we are, the food they provide will be the same quality we are familiar with. This inner brand compass is based on familiarity, and it relies on the fact that established brands have clear guidelines to assure the quality (and taste) of their products.

The same is true in the world of electronics. We put our trust in brands like Apple, LG, Samsung, HP and others. We trust them because their name stands for quality, safety, design, experience and expertise. The brand name reassures the consumer that the proprietary security and best practices have been applied during the manufacture of IoT products. This is also one of the reasons why people are willing to pay premium prices for such brands.

But naturally, no brand is flawless. Over the past year it became evident that Apple was slowing down old iPhones, HP had keyloggers installed on its laptops, and the Samsung Note could explode in our very pockets. All in all, not a great year for the big electronics manufacturers.

Brand-based trust is a significant factor contributing to our growing dependence on technology, but it is does not provide a complete solution. Nowadays, many manufacturers make good quality electronics for a fraction of the cost of the familiar brands. Yet the need to provide cheaper devices can lead to lax security and quality assurance. So the question remains: who is in charge of protecting consumers?

Government regulation

In many cases we count on our governments to set the rules and regulations that help us to go about our day-today lives safely. From public transportation to public health, these systems provide guidelines for collective behavior. It is therefore not surprising that governments and international organizations (such as the UN) have set rules in the telecommunications and electronics world. Of course, the brave new world of IoT provides new challenges to governments and authorities, which vary in expertise, size and political power. Two major players in this arena are NIST and ENISA.

The National Institute of Standards and Technology (NIST) is “basically where the best practice unicorns go to graze”. NIST is a powerful US government agency, whose source of authority is not only the law, but also its expertise and professionalism. The standards published by NIST are used today everywhere in the US (and respected worldwide).  Therefore, every manufacturer planning to sell their products in the US uses NIST standards. Currently, NIST is working on multiple routes to tackle the challenges of the IoT world. This includes multiple publications, guidelines and frameworks, as well as setting up the NIST Cybersecurity for IoT Program. While there are many NIST standards for electronics and the internet that are already used in the IoT realm, NIST has yet to provide specific standards focusing on the unique security challenges of IoT.

If we move away from the US (which also has NTIA, FCC and more), we can look to the second most powerful Western market, the European Union (EU). The European Union Agency for Network and Information Security (ENISA) is the center of expertise for cyber security in Europe. ENISA operates in three different areas: recommendations, activities (which supports policy making and implementation), and ‘hands on’ work (which includes collaboration with operational teams throughout the EU).

While the work done by government organizations such as these is hugely important, there are multiple inherent weaknesses. The first and foremost is dependence on political threats and opportunities. This can take effect through straightforward pressure by a local government, or through subconscious bias toward the preferences of the country they operate within. Another challenge is the ‘time to market’ of governmental regulation, which takes a huge amount of time by comparison to the rapid development of the IoT market, resulting in an attempt to shut the stable door after the horse has bolted. Finally, even once regulations have been published, they are often too ambiguous and difficult to enforce to prevent security issues.   

NGOs

The third principal way of dealing with the question of trust and regulation is through NGOs. These include different organizations, alliances, groups and coalitions, which are usually situated between the private and governmental sector. In some cases these organizations can be alliances of companies striving to cooperate and standardize specific aspects of the industry, such as the WiFi Alliance; another type is consumer-based organizations aiming to help customers in the face of big corporations, such as Consumer Reports. In the IoT world, the key organizations are industry alliances. For example, the IoT Security Foundation (IoTSF) is an international non-profit body which aims to promote IoT security from a holistic, system-wide perspective. The purpose of IoTSF is to draw up best practices for the changing world of IoT. The IoTSF is self-funded, and is led by businesses and technical security experts. To achieve its goals, the organization has set up seven working groups, and is working to set up its own standards. as well as to become involved in regulations and standards issued by government agencies.

Most of these organizations depend heavily on members and partners from the industry. This is double-edged sword: on the one hand it allows the organization to be relevant to the industry, and have inside information that allows it to plan effectively; on the other, this dependence creates a problem as member companies look out for their own interests, leaving the cat to guard the cream. Organizations can be, and indeed are successful when coordinating multiple points of view to avoid becoming locked in to proprietary solutions, yet there is very little incentive to do so in the security world.

Conclusion

Brands, governments and NGOs are making tremendous advances to secure IoT devices. However, the puzzle is not yet complete, and often the consumer is left exposed. In this new, rapidly growing and ever-changing world of IoT, a new source of trust needs to emerge. This source should be independent from both vendors and manufacturers, but equally must work with them to make sure that security architecture is not only in line with current regulation and standards, but is also built to counter current and future threats.

This requires a flexible cooperation between security vendors taking initiative on the one hand, and NGOs/governmental standardization bodies following suit to publish standards in a timely fashion. This will help the IoT market coalesce around accepted security solutions.

VDOO is a source of trust with the flexibility of a commercial company, and the courage to become a global player which enables manufacturers to create secure IoT devices, while protecting the consumer.