It feels like hardly a week goes by without announcements of major security breaches or leaks. And while we’re not in the business of keeping tabs on individual breaches (egregious ones, like unsecured databases that contain millions of voice recordings, like the one covered two weeks ago, excluded), there was enough smoke this week to have a closer look where the systemic fire might be.
Let’s start with Wikileaks’ Vault7 document drop. While anything Wikileaks publishes these day should be consumed with a rather copious amount of salt, the framing of the purportedly leaked documents, which seemed to ascribe to the CIA almost mythical powers of “cyber”, brought the discussion around consumer IoT electronics to the fore again.
And of course everybody now thinks that who they need to worry about when it comes to IT security is the CIA or NSA. They’re the ones who get their hands on a lot of Zero-Day vulnerabilities (who tend to linger for a long time, as a fortuitously times study by RAND shows). And yet, the reality is far more mundane.
It might sound antithetical, but I’m coming around to think that for IoT to work successfully, and sustainably at that, maybe we need to increase the barriers of entry. Apple often gets a bad rep for its stringent requirements for MfI and hence HomeKit certification, among which there’s a requirement for a custom security module, but that makes those low-hanging fruit attacks so much harder. The tradeoff, of course, would be much slower product discovery, i.e. figuring out what people actually want out of connected homes and connected products.
Relatedly, we need to dispense with the notion that “Data is the New Oil.” It leads producers of goods who have no business running backend servers and data collection efforts to think they have to do it, or else they’ll miss out on a massive revenue opportunity. There’s a reason why you shouldn’t host your own email server, and that’s the exact same reason why you probably shouldn’t be collecting customer data yourself. Leave that to the professionals. But I guess you don’t become a disruptive platform unicorn with classic core competency matrices.