Do as I say, not as I do. Many a child has heard this admonition. A dispute rages (rages might overstate the case) as to its origin. Noted English jurist, politician and scholar John Selden is widely credited with creating the phrase in his book “Table Talk” where he wrote: “Preachers say, ‘Do as I say, not as I do.’” The book was written in 1654, which suggests the sense of the phrase has stood the test of time. But there are those who trace the saying back to the King James Version of the Bible, and I wouldn’t be surprised if at some future time pictures drawn on the wall of some yet to be discovered cave convey the same general sense of appropriate conduct.
I’m reminded of the phrase after reading the testimony of Bruce Schneier, a Fellow at the Berkman-Klein Center at Harvard University, and a cybersecurity expert. Testifying before the House Energy and Commerce Committee after a massive cyberattack took down parts of the internet, Schneier said there is no way to fix compromised devices currently in use. “They’ll remain in use because of an additional market failure: neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don’t care. They wanted a webcam—or thermostat, or refrigerator—with nice features at a good price. Even after they were recruited into this botnet, they still work fine—you can’t even tell they were used in the attack. The sellers of those devices don’t care: They’ve already moved on to selling newer and better models. There is no market solution….”
Taking Mr. Schneier’s point at face value, the lack of a market solution provides a strong argument for government intervention, and there does seem to be some momentum developing for legislation that will require built-in security for internet connected devices. Still, I’m struck by the recognition that owners of infected devices do not seem to care. When surveyed, consumers consistently put data security at the top of their list of concerns. For example, the 2016 Norton Cyber Security Insights Report says, “Within the last year, 689 million people in 21 countries experienced cybercrime. It has become so prevalent that many people equally fear online and real-world risks. More people believe it has become harder to stay safe online in the past five years (63 percent) than in the “real” world (52 percent).” Yet, there is an obvious disconnect between what we think and what we do. The Norton report says, “Despite the growing threat and awareness of cyber-crime, consumers remain complacent about protecting their personal information…Even past victims of cybercrime sometimes fall back into old habits.”
There are many things one could say about the lax way in which we collectively approach cybersecurity. With regard to your next IOT purchase I offer the following…“caveat emptor.”
By Tom Davis, SDI Cyber Practice
November 22, 2016