The Failure in the Market for the Internet of Things
The Internet of Things (IoT) is made up of millions of devices, surrounding us in our homes, at our jobs and as we walk down the streets of our cities. IoT devices facilitate many important aspects of our daily lives, but they also pose a significant risk. Unprotected IoT devices have become a popular tool in major Cybersecurity attacks known as DDoS attacks. From the perspective of imposing risk, owning an unprotected IoT device is no different than smoking in a public space, not vaccinating your children or polluting the nearby river. All of these impose (negative) externalities on uninvolved parties and, according to Economic theory, require an intervention by the public sector in the form of taxation or regulation.
This paper provides an Economic analysis of the IoT market failure and the externalities it carries. The goal is to hypothesize the appropriate action from the public sector – perhaps consumption taxes, while considering the alternative characteristics of this untraditional market. The research is divided to four parts. The first part, lays out the background and context for this technology, as well as the cybersecurity concerns resulting from its unique characteristics. The second part shifts focus towards an Economic analysis: first describing the negative externalities imposed by unprotected IoT devices and the market failure they cause, followed by an overview of traditional externalities and common intervention mechanisms. To theorize what remedy might be appropriate, the third part uses the framework outlined in part two to establish a preferable public sector intervention in this case. Finally, the forth part reviews multiple factors to consider in designing and executing the preferred remedy. Finally, the paper covers some less traditional aspects of this market, which provides a basis for considering alternative solutions in addition or, perhaps, in lieu of, government intervention.
The previews version of this study includes a broader background covering technology and Cybersecurity , as well as tables and all graphs. It can be found here:
On Friday October 21st 2016 major Internet platforms and services become unavailable in Europe and North America. For about 12 hours, starting from 7:00AM, services, including Twitter, PayPal, Seamless, Airbnb, Amazon, CNN, Fox, Verizon Communications and many more, become unreachable for most users. As the hours passed, reports started flow in and a picture of an unprecedented attack on a DNS service named Dyn become apparent. The attack was classified as a Distributed Denial of Service (DDoS) attack and it was carried out using “Internet of Things (IoT)” devices around the globe.
To understand such an event, it must be placed in the context of the underlying technologies involved. A user looking to visit an online service or website, requests it using a readable domain name: amazon.com or facebook.com, etc. While, from the user’s perspective, no other action is required, from the internet’s “perspective” some translation is needed from domain name to the actual website address, more specifically known as the IP address. This is the online equivalent of a postal address for a home, rather than just saying: The Empire State Building, for example. The translation from domain name to IP address is done via a Domain Name System (DNS) service, which acts like a phonebook, holding all IP to Domain name translation records. One popular “phonebook” is the Dyn DNS server, located on the American East coast, which was the target of the October attack.
Communications with web services are composed of small packets of information that travel back and forth between the web service and the user. Services on the internet are constantly listening and looking to respond to any attempt to communicate with them. A malicious entity can attempt to overwhelm a service by sending an extraordinarily large number of communications, creating, in essence, a giant traffic jam. The service will attempt to respond to each packet, but, will end-up falling short: crashing or becoming unresponsive. Attacking a service by flooding it with traffic is called a Denial of Service (DoS) attack. To accomplish a successful attack of this type, millions of individual communications are required, which leads to the common practice of exploiting random communication-capable machines for this specific purpose. Designing the attack such that it is carried via many, random, machines is what makes this attack “distributed” which gives it its common name of DDoS (vs. just DoS) attacks.
Unfortunately, finding machines that are communication-capable, yet are managed with low security, is very easy, so “abductions” for nefarious purposes are not just possible, but can be easily accomplished. We might not always be aware, but such machines surround us. From digital video recorders (DVRs) and connected thermostats to CCTVs (Closed-circuit television) at a store or building front — all could potentially be used in such an attack. The rapidly
developing world of IoT devices ensures that there are more and more machines with internet capabilities in our homes and beyond. Large networks compromised of such machines are called botnets and, in many cases, individuals with nefarious intentions control these botnets remotely, while their actual owners are none the wiser.
Attacks like the one that was perpetrated in October are becoming increasingly popular and communication experts predict a rapid growth in attacks — as much as 2.6-fold per year — from 6.6 million attacks to 17.4 million attacks between 2015 and 2020 . Europo — the law enforcement agency of the European Union, in their 2016 Internet Organized Crime Threat Assessment (IOSTA) report predicts that: “If current trends continue, it is obvious that DDoS attacks will continue to grow in scale, with the current top-end attacks becoming the norm as attacks reach new heights in terms of bandwidth and volume.” 
Preventing such attacks is a complicated task, where much of the challenge is derived from the distributed nature of the problem. While hacking can often be tracked back to its source, here, billions of uninformed participants need to be tracked and handled. Overcoming this problem requires long term strategic planning and, potentially, a reframing of the issue. The market for IoT devices has a negative externality: the cost imposed on society by DDoS attacks. Neither the producers of these devices, nor the consumers have any incentive to take the necessary steps to alleviate this externality, resulting in a market failure. Society suffers the risks and costs of the service failures that occur with these attacks, which are only likely to increase in frequency and severity.
This paper will explore the idea that this issue can be usefully analyzed utilizing the traditional methods of dealing with market failures and negative externalities in the context of Economic theory. We posit that, leaving your IoT device unprotected, while the ability to protect it exists, is not like leaving your front door open — which one is free to do, if the risk is acceptable to the individual — but, instead, is much more like smoking in public areas, not locking up your gun or not vaccinating yourself and your children — all activities which are regulated, in order to mitigate market failures. We will first examine the general characteristics of the IoT device and Cybersecurity markets from both a technical perspective and to examine the specific challenges of overcoming this issue. We will then look at the Economic theory around market failures and negative externalities, focusing on how traditional solutions to market failures could be matched with this market failure. The goal is to determine the appropriate response. Lastly, we will consider some additional aspects of this market failure, which could provide to some alternative solutions.
To understand the scope of risk that unsecured systems are exposed to and, consequently, expose others to, an overview of common threats and their characteristics is required. In a recent talk at the Open Source Leadership Summit (OSLS), security expert Bruce Schneier provided an interesting analogy for the current state of technology. He said that “we’re creating an Internet that senses, thinks, and acts, which is the classic definition of a robot.” In his analogy, the world- size robot “has no single consciousness, no single goal, and no single creator.”  Yet it impacts all in a direct, physical, manner. In Schneier’s analogy, the brain of this robot includes two parts: storage of information and the ability to efficiently process this information. It could take the form of a large Amazon.com data center that is put in use in order to predict our shopping preferences and conclude the ultimate price of an item. Equivalently, it could be the computer we use to store, process and use information for our daily needs.
Common threats to the ‘brain’ of the world-size robot seek the ability to access these sources of information in order to either gain valuable knowledge or to leverage on the fact that this information is valued by others. A simplified categorization of such threats could be as follows: those that act unobtrusively to inform the attacker about actions taken (like a Trojan horse), those that act explicitly by infecting the machine’s functionalities and the surrounding machines and those that utilize the ability to lock users’ data in order to blackmail the owner of the information. In a given attack one set of particularly valuable p information that could be gained by a malicious act is the contact list stored on a machine. This can, in turn, provide the means by which such a malicious program could be further spread, which, in many cases could be the sole goal of the attacker as it provides significantly growing avenues of attack.
As mentioned before, common protection from various threats of this type will construct a perimeter ‘wall’ with sensors, on the routes leading to the protected machine. The sensors would detect behavior anomalies, according to predefined instructions (attack signatures) coming from the wall — the brain of the security system. In addition, the walls act as actual gate keepers, filtering access according a strategy provided by the security company (Kasparsky for example). Generally speaking, the security market of computer owners and hardware/software producers (hardware — the physical parts, software — the programs) include a mutual interest of keeping machines protected. Both sides will invest in basic protection according to their cost-benefit analysis. Providers of programs/machines have some reputation at stake, while users prefer to protect their monetary investment, as well as their information.
The Cybersecurity market is a challenging market to analyze, as some of its characteristics are unique, most specifically the fact that the sole driver for this market is cybercrime. Reducing inefficiencies and increasing productivity for the end user drive most technology sectors. Yet, the
demand for security software, from a consumer perspective, is driven by the fear of becoming the next victim. Security, in this context, is more of a latent variable, than an observable variable, since the goal is to avoid the next yet-to-be-known attack and that is the primary motivation behind spending decisions.
Most market estimates paint a portrait of a rapidly growing market with a predictable characteristic in which large firms with valuable data (for example financial institutions and banks) spend the most on the protection of this data, not to mention their reputation that is on the line, which has its own, significant, monetary value. Cybersecurity in the commercial space incorporates the cost of DDoS attacks into their overall security spending. By doing so, they provide an internalization, de facto, as they ignore the cost imposed on the firm by other, unprotected, third parties — owners of private IoT devices. While the interest of protecting such data is clear with commercial use, it is not at all clear with individual use, regardless of its implications. For the individual, interest in addressing security vulnerabilities is proportional to the level of risk. PC owners see some level of risk in losing data and financial investment (purchasing the machine) but owners of passive IoT devices, have very little, if any, incentives to add security to their devices. The functionality for which the device was purchased is nevertheless delivered, even if some malicious communications is routed through it. As a result, IoT botnets continue to grow and evolve, as a pandemic supported by the global IoT ecosystem.
The term Internet of Things (IoT) was coined by Kevin Ashton, a British technologist, In 1999 to describe the growing popularity of automating communication between machines. The idea was that machines could communicate, share information and arrive at conclusions — according to some predefined conditions coded by humans. The trend of automating machines became so popular that many sectors began connecting their products to the Internet to allow remote control and integration with other machines –the eyes and ears of the world-size robot mentioned above. When it comes to the eyes and ears — sensors collecting information (IoT devices for example) and hands and feet — actuators (component of a machine that is responsible for moving or controlling a mechanism or system), the abovementioned cost-benefit logic doesn’t always hold. The common ability to most sensors-based machines is sensing relevant information, translating it to data and sending it, down the line, to another machine or end user. While these functionalities sometimes incorporate cutting edge technology, the reality is that these could keep providing their functionalities with minimal protection, if any at all. This is the world of IoT devices — the camera looking at one’s back yard or a remote thermostat at one’s home. These will function even if sometimes they are used to transmit other (maliciously originated) communications. The security state for the eyes and ears, of our world-size robot, provides a challenge that was not experienced with the brain of the robot.
The unique characteristics of IoT devices (and sensors in general) could be viewed from the perspective of a consumer acquiring such a device. Acquiring an IoT device is not the same as acquiring a traditional computer or a PC. Acquiring a PC includes, in general, two stages: first, one shops for the machine itself (hardware) then one shops for the software (programs) that will be installed on that machine. Many sellers will offer some preinstalled software, like operating system (e.g. Windows 10) to simplify the initial use. From that point, the owner decides which other programs he/she is interested in and engages in the process of purchasing/getting them according to the rules defined by the software makers. Of course, the intended use has to be considered when buying the machine (hardware), as a lab-intended machine has different needs from a video-editing machine or an email exchange intended machine. Yet, at large, the software decision exists in an independent stage; from Antivirus for protection to word processor and Media Player for functional use. While this is true for most regular hardware, this is not the case with IoT devices. Generally speaking, buying an IoT device reverses this process, such that software abilities are considered first and then appropriate hardware support is verified, but only in a very limited sense. With IoT devices, the two major considerations are the functionality — will it serve the exact purpose it will be purchased for and it’s level of integration — can it be controlled with a mobile phone or similarly, how many additional sensors could be potentially added to a system. The overall use intended by each machine is limited and the goal is often very narrow. The fact that a device serves a few, limited, functionalities, shifts the focal point from its hardware abilities to its software functionalities, with the assumption that the producer designed the hardware to optimally serve the software needs.
With this unique situation, we see that when it comes to IoT devices, the market for software is often indistinguishable from that of the hardware and, as such, for our purposes, we can look at this as one market, combining the IoT hardware, the embedded software, including any security measures. From this paper’s perspective, the relevant market failure occurs at this unique interaction. The security failure at the heart of IoT is a product of the lack of incentives owners see in defining the software to provide its maximum security. Producers at the same time have no interest in enhancing the level of sophistication embedded in each machine given that it allows the promised use. Looking closer into the October 2016 DDoS attack could provide some perspective on the ease of constructing such attacks, while utilizing IoT systems –resulting from neglecting to provide security in such devices.
The October 2016 attack used a control system called Mirai botnet (botnet: robot over a network). First it provided scanning of the internet to locate vulnerable machines with low security. Then it sent malicious software to all the machines found vulnerable. Lastly, using instructions received from a remote command and control center (C&C), it launched the actual DDoS attacks that ordered those machines to communicate with some given address. In addition, in some cases the Mirai botnet provided IP spoofing — masking the origin IP address — in order to avoid tracking it back to the machine used. According to researches investigating this and similar
attacks the “Investigation of the attack uncovered 49,657 unique IPs which hosted Mirai-infected devices. As previously reported, these were mostly CCTV cameras — a popular choice of DDoS botnet herders. Other victimized devices included DVRs and routers. Overall, IP addresses of Mirai-infected devices were spotted in 164 countries” “…the botnet IPs are highly dispersed, appearing even in such remote locations as Montenegro, Tajikistan and Somalia.” 
A Kasparky lab experiment from March 2017 looked to understand the popularity and profitability of DDoS attacks available on the dark market (the online market for, mostly, illegal products). Their main finding was that ordering such an attack is not very different from purchasing any other product online. The only differences are the required anonymity and the method of payment. The cost for ordering such attack is defined by the following main factors: source of attack, target of attack, special attack requirements, time length of attack, bandwidth of attack (volume of communications) and overall market costs for attacks in that country. As for the price range “the actual cost of an attack using a botnet of 1000 workstations can amount to $7 per hour. The asking prices for the services we managed to find were, on average, $25 per hour, meaning the cybercriminals organizing DDoS attack are making a profit of about $18 for every hour of an attack.”  This report provides another important dimension to the simplicity of these attacks: as executing them doesn’t require advanced technological understanding, nor a significant financial investment, while the costs for the victims are significant. The Kasparsky researchers put it as follows: “The cost of a five-minute attack on a large online store is about $5. The victim, however, can lose far more because potential customers simply cannot place an order. We can only guess how many customers an online store loses if an attack lasts the whole day.”