Server banks at work inside a data center at AEP headquarters in Columbus, Ohio, May 20, 2015.

Server banks at work inside a data center at AEP headquarters in Columbus, Ohio, May 20, 2015. John Minchillo/AP

How to Get the Market to Make Secure IoT Devices

New rules for government purchases might be the fastest way to make sure new internet-connected devices don’t join botnets.

Smartphones now outnumber people and by 2020, anywhere from 20 billion to 50 billion internet-connected devices will populate the Earth, creating an internet of things with both massive economic potential and grave security concerns.

Securing the internet of things is among the federal government’s largest technological challenges and a policy nightmare.

The government can’t agree on whether it should regulate this booming market or which agencies should be involved. Security is often less a priority for companies than introducing new products, and that has consequences. In October, hijacked, vulnerable IoT devices effectively shut down parts of the internet by flooding web services provider Dyn with bunk traffic.

John Sheehy, vice president of strategic services for IOActive, a Seattle-based security company, said the federal government could take a lesson from Mayo Clinic, a health care organization taking on the IoT challenge with a not-so-secret weapon: procurement.

“The Mayo Clinic is building a minimum requirement for medical device security and so minimum standards will likely be adopted by other people in industries,” said Sheehy, speaking Thursday at the Defense One Summit. “Not only can the federal government help address this problem by using language within their own procurement vehicles, but also by having a standard out there for the procurement of vehicles, medical devices or anything else the government buys in bulk—and allowing other people to reference that as a minimum standard.”

Hospitals across the country already use millions of web-connected devices like infusion pumps, pacemakers, patient monitors and ventilators to care for patients. Increasingly, those connected devices are implanted within human bodies themselves. By forcing device suppliers and manufacturers to “have a minimum level of security capabilities” based on buyer best practices, Sheehy said hospitals can incentivize the adoption of systems that don’t introduce vulnerabilities.

The federal government could do the same: use the buying power of large procurement vehicles and agency acquisitions to demand more secure products from industry. Much the same way companies compete for government contracts based on factors like price, tweaking procurements could force them to compete on the inherent security of their internet-connected devices.

In the purchase of two equally priced internet-connected coffee pots, the government might well select the version that offers real-time automated security patching.

“One of the things we hope to move toward is a world where security becomes part of these IoT products and potentially a market differentiator,” said Josh New, policy analyst for the Center for Data Innovation. “We know it’s an incredible driver.”