公地的悲剧：为什么物联网监管可能是必要的邪恶

What can sheep teach us about securing IoT? To understand the dilemma represented by the need to have secure devices, think about the problem in terms of collective ownership, like sheep grazing in a commonly owned pasture.

1968年，一位名叫格雷特·哈丁（Garret Hardin）的进化生物学家发表了一篇论文Sciencewith the title “The Tragedy of the Commons.” In it, he described a scenario in which the land provided adequate sustenance for the herd, so long as the number of sheep was kept in check. If each person who grazed on that land acted in their own self-interest and increased the number of sheep they sent to pasture, the land would eventually become insufficient to support the population and, in turn, would be overgrazed to the point where it would it would be unable to support the community that relied upon it. The problem stems from the fact that no single entity in the community is incentivized to take care of the pasture and, as a result, everyone suffers.

Over the past 10 years, the internet has seen an explosion of connected devices that can deliver YouTube to your various screens, unlock doors, adjust temperature from a distance and transmit energy usage to your local utility. And just like the pasture, the internet is a “commons” that has benefits and drawbacks because no one controls it.

虽然我们都从智能，连接的设备提供的舒适性和便利性中受益，但这些相同设备的安全性缺乏安全性。虽然当然不是一个孤立的案件，Mirai攻击发生在2016年底，并使用了仅使用无法修改的默认工厂密码保护的IP安全摄像机。即使用户愿意这样做，这些相机也无法保护。在这种情况下，黑客修补了安全孔，大概是其他人可以控制密码，并利用它来控制IP摄像机，并使用其带宽到放下最大名称服务之一on the internet. These name services are the equivalent of the Yellow Pages of the internet. Web services rely on them to talk to one another. The attack caused several high-profile services like Twitter, Netflix and Reddit to go offline and infected an estimated 500,000 devices.

当前的问题是：谁激励着保护物联网？应该公司producing connected chips负责启用安全设备？应该责任落到设备制造商，就像制造恒温器或汽车的人一样？还是我们需要政府法规来为可接受的基准设定基准？

To have the government look at IoT security would mean someone is taking responsibility for management of the “internet commons,” but there are challenges on both sides of regulation. Too much has consequences, as does too little.

在发生过度调节的情况下，政府可以使用指定物联网产品需要认证并包括高级安全功能的途径。IP摄像头可能需要一个复杂且硬化的远程管理系统，以在产品生命周期期间升级安全性。摄像机的制造商将被要求采取额外的确保安全性，超出今天可能获得的UL和FCC认证。认证通常超出了产品功能，并且需要组织和流程来处理产品生命周期的安全性。

所有这些额外的安全性和认证增加了成本，并延长了产品上市所需的时间。对于大型公司和昂贵的产品，这可能是可以管理的，但是它确实为小公司或低成本/高批量产品（例如连接的灯泡or window contact sensors. And a lot of the innovation comes from small companies with new ideas, so barriers of entry clearly thwart innovation.

另一方面，如果我们处于不进行监管的模式，那么Mirai攻击可能是许多人中的第一个。在这种情况下，随着新的物联网设备上网，国家的网络武器库可能会呈指数增长，以至于，来自流氓国家的弹道导弹罢工的威胁比由敌对敌人控制的嵌入设备控制的隐藏危险更容易理解代理人。众所周知，黑客可以控制并等待合适的时间罢工。通过在颗粒状的水平上访问数十亿个连接的设备（灯泡，安全摄像头，医院设备），黑客可以在攻击何时，何时何地更具针对性。该能力的价格可以出售给出价最高的人，并且可以在我们从未见过的水平上产生勒索的黑市经济。

这些工具在那里控制各种连接的IoT设备。最近，Wikileaks发布的一系列文件，称为Vault7，详细说明NSA偷走的工具的细节。它发布的工具箱包含用于手机和计算机的黑客，以及智能电视和流行的Internet浏览器。随着发现更多的设备漏洞，该工具箱可能会扩展。

In fact, a year ago the exclusive Austrian hotel Romantik Seehotel Jaegerwirt was subject to a ransom event when hackers took control of the connected door locks and held out for payment. The hotel has plans to retrofit now with mechanical locks.

今天我们知道黑客可以访问U.S. energy grid还有一些团队为如何封闭安全漏洞而奋斗，但是数十亿个无抵押的连接设备为不良演员提供了攻击向量，这些攻击者几乎无法预料和捍卫。

困境很明显。过多的监管可能会减慢创新并增加物联网的成本。太少了，物联网连接的价格将太高，无法广泛采用。

那么正确的监管级别是多少？这可能是安全风险与可接受的风险的平衡。今天，美国政府敦促物联网设备的半导体供应商和制造商考虑网络安全during the design phase。它还主张对连接产品进行销售和生命周期监测，以检测和防止脆弱性。

As the government is on the verge of requiring连接设备的最低安全性in Federal buildings, it seems to be counting on the purchasing power of the government to be a force for change. As regulations for IoT security are developed, here are three principles we’d like to see applied:

1. The government should be proactive about planning for regulation. Politics are intrinsically reactive, but it would be best to ensure regulations are not a knee-jerk reaction to high-profile hacks or newspaper headlines.
2. 法规和要求应进行审查，并通过制定路线图并创建法规的更新来进行广泛传达。这样，产品设计周期可以预测变化并适应。
3. Any regulation should be done with a global perspective and market alignment. Many IoT devices are made for global markets, and if every country invents its own regulations and requirements with subtle differences, it will become very expensive and unmanageable for most companies to comply.

做得好，政府的监管可以使我们所有人的睡眠更好。无需数羊。

所有的物联网议程网络贡献者都负责其帖子的内容和准确性。意见是作家的，不一定会传达物联网议程的思想。