The private sector often views government as the problem, not the solution. But, in the view of a growing number of experts, the opposite is true when it comes to addressing the rampant and increasing security risks of the Internet of Things (IoT).While it is not a unanimous view, there is general agreement that the blessings the IoT brings to modern life are being undermined by its curses \u2013 and that the market will not correct those curses.Its almost magical benefits are well documented and well advertised \u2013 self-driving cars and the ability to lock or unlock doors or adjust a home thermostat from hundreds of miles away were fantasies only a few years ago. But its billions of connected devices are so lacking in security that they are putting not only individual users at risk, but public and private infrastructure as well, including the infrastructure of the internet itself.October\u2019s\u00a0Distributed Denial of Service (DDoS) attack on Internet Domain Name Service (DNS) provider Dyn is the most famous illustration.It only caused inconvenience when it took down a number of popular websites for part of a day. But its use of possibly millions of devices like webcams and DVRs in a botnet to launch the attack showed that the IoT can supply a zombie army of devices that could damage life and safety if aimed at targets like hospitals or the nation\u2019s critical infrastructure.All while individual users likely had no idea that their devices had been \u201cconscripted\u201d for the attack.So, since neither developers\/manufacturers or individual users are affected, those are risks the marketplace \u2013 competition and consumer pressure \u2013 hasn\u2019t corrected. And that means government must intervene more aggressively, according to experts who testified before the House Committee on Energy and Commerce in mid-November: Bruce Schneier, CTO of Resilient Systems, which was recently acquired by IBM; Dr. Kevin Fu, CEO of Virta Labs and a professor at the University of Michigan; and Dale Drew, CSO of Level3 Communications, an internet backbone provider.\u201cThere is a fundamental market failure at work,\u201d Schneier said. \u201cBasically, the market has prioritized features and cost over security.\u201dThe lack of security, he said, is \u201ca form of invisible pollution. And, like pollution, the only solution is to regulate.\u201dThere are a variety of views on that declaration. Stu Sjouwerman, CEO of KnowBe4, said Schneier is \u201cabsolutely right \u2013 the FCC should be the agency that tests these devices for minimum required security standards, such as default credentials that need to be changed by the end-user before the device can be put in production.\u201dMark Baugher, principal security engineer at Greenwave Systems, is not convinced that government regulation will solve the problem. But he agrees about the reason for the market failure.\u201cThe costs of cheap, poorly designed network products are typically borne by someone other than the users of those products,\u201d he wrote in a recent essay furnished to CSO.\u201cEconomists call this a \u2018negative externality,\u2019 meaning that the costs are external to the market. Market-based solutions therefore don\u2019t work.\u201dThis is not a new problem \u2013 Schneier, Fu and others have been saying for years that the IoT is insecure because both the developers and buyers of devices care much more about features and price than they do about security.[ ALSO ON CSO: Data breaches through wearables put target squarely on IoT in 2017\u00a0 ]But Schneier told the committee that the DDoS attack on Dyn shows that the stakes are now much higher than having a bank account compromised or an identity stolen.\u201cWe are connecting cars, drones, medical devices, and home thermostats,\u201d he said. \u201cWhat was once benign is now dangerous.\u201dOf course, what form government involvement should take is less clear. Drew was less forceful than Schneier or Fu about the role of government, saying only that, \u201cthere may be a role for the government to provide appropriate guidance.\u201dBut there is general agreement that government could and should require what is described as \u201cbasic security hygiene,\u201d and while that would not make devices bulletproof, it would make it much more difficult to exploit them.Matt Devost, managing director at Accenture Security, is one of several experts who told CSO that government can play a crucial role by forcing the market to address the most obvious, blatant insecurities of IoT devices.\u201cEstablishing a minimum essential security requirement in new devices that forces the user to set up a robust password before the device can be used would be an improvement over default passwords,\u201d he said, \u201calong with an ability to automate the firmware update process in the event a critical vulnerability is discovered in the product.\u201dFu, in his testimony before the congressional committee, recommended an independent, national cybersecurity testing facility modeled along the lines of the National Transportation Safety Board.Schneier also recommended that government force \u201cminimum security standards\u201d on IoT manufacturers, including imposing liability on those that fail to comply, \u201callowing companies like Dyn to sue them if their devices are used in DDoS attacks.\u201dAnd Craig Spiezle, executive director of the Online Trust Alliance (OTA), said the government should require that, \u201cproducts not ship with any known critical vulnerabilities, and have a commitment to provide security patches and updates through their life.\u201dOther regulatory initiatives could get more complicated, however.Sen. Mark Warner (D-Va.), in an Oct. 25 letter to the Federal Communications Commission (FCC), Federal Trade Commission (FTC) and Department of Homeland Security (DHS), asked if\u00a0Internet Service Providers (ISP) could help force improvements in security of IoT devices by denying insecure devices access to the internet, including refusing to assign them an IP address.FCC Chairman Tom Wheeler, in a Dec. 5 response, noted that global realities mean that actions of a single ISP won't change much. \u201cProtective actions taken by one ISP against cyber threats can be undermined by the failure of other ISPs to take similar actions,\u201d he wrote. \u201cThis weakens the incentive of all ISPs to take such protections.\u201dExperts are also extremely wary of government involvement in regulating any element of internet security because of its demonstrated desire for \u201cback doors\u201d into devices and networks.Schneier, even while calling for federal regulation to improve IoT security, said that, \u201cgovernment needs to resist the urge to deliberately weaken the security of any computing devices at the request of the FBI.\u201dBaugher, while declaring that \u201cgovernment is needed for cybersecurity,\u201d also declared just as emphatically that \u201cthe US government can\u2019t deliver it,\u201d in part because it has demonstrated repeatedly that it can\u2019t secure its own infrastructure. He cited multiple examples \u2013 former secretary of state and recent Democratic presidential candidate Hillary Clinton is the most famous example \u2013 of Cabinet-level officials using private, and insecure, email servers.But more significantly, he said, is that US government policy, \u201cis and has been to weaken device security to better enable information collection. The government is in no position to advocate mechanisms for increasing the cybersecurity of IoT or other applications when it simultaneously tries to undermine the security of devices and their users.\u201dFor now, specific regulations with legal force and penalties appear to be some time away. Not that there is no activity. The FTC recently announced the\u00a0"IoT Home Inspector Challenge," a contest that, \u201cchallenges the public to create a technical solution (\u2018tool\u2019) that consumers can use to guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.\u201d The winner will receive a $25,000 prize, with $3,000 prizes for runners-up.There are also a number of government documents that address internet security \u2013 DHS just recently published\u00a0"Strategic Principles for Securing the Internet of Things," but noted that they are, \u201cnon-binding principles and suggested best practices,\u201d which means there is no force of law and no consequence for failing to follow them.Sjouwerman called the document, \u201ca good start, but no teeth.\u201dBaugher, noting that there are other government \u201cbest practices\u201d recommendations, said the DHS paper suggests to him that, \u201cthere seems to be a competition between some federal agencies. The proposals at this point seem more political than technical.\u201dAnd Spiezle said while, \u201cthe threat of government regulation as well as enforcement is important, we need action today.\u201dThat, he said, can come from the private sector. He said OTA has issued a public call to major retailers including Costco, Amazon, Best Buy and Target, \u201cto stop selling products that fail to adhere to core foundation security and privacy principles.\u201cWe are speaking to insurance companies to consider the same on product liability,\u201d he said. \u201cRetailers do not sell products that could hurt a child or made by child labor, why sell and profit from selling products with known vulnerabilities?\u201dThe OTA, he said, published version 2.0 of what it calls, \u201cThe IoT Trust Framework\u201don Jan. 5, which he said is intended to provide, \u201ca tool for developers to develop against, retailers to audit the products they are selling and businesses to use to evaluate the products they purchase.\u201dFu said the good news, if there is any, is that serious attention to IoT security could yield significant benefits. \u201cFor IoT devices already deployed, take joy that the millions of insecure IoT devices are just a small fraction of what the IoT market will resemble in 2020,\u201d he told the congressional committee.Head over to CSO's Facebook page to comment on this story.