What the Internet of Things Can Learn from Used Cars
This past week's "Petya" ransomware attack on companies, airports and government departments across Europe—the latest in a series of massive and high-profile cyberattacks—has renewed calls for lawmakers and regulators to adopt tougher rules governing device insecurity.
That would be a mistake. Rather than rely on regulatory wrangling, policymakers should look to the role market-based mechanisms like warranties and guarantees can play in providing information about product quality in the "Internet of Things," just as they currently do in the market for used cars.
The Internet of Things industry actually has much to learn from the secondhand car market. Just as in the market for used cars, it can be costly and challenging for consumers to sift through information about which sellers of networked devices offer the best products at the best prices. As the Nobel laureate economist George Akerlof has detailed, when a consumer can't discern whether a given product is of good quality, uncertainty and dishonest practices can erode trust between buyers and sellers, causing markets to function poorly.
Like Akerlof’s depiction of the troubled market for used cars in the 1960s and 1970s, there is a credibility problem in the market for IoT devices. According to an Accenture survey, 47 percent of consumers cited security concerns as a reason they won't adopt "smart" devices in their homes. This suggests there's value left on the table by both consumers and sellers. According to McKinsey, the market for IoT devices could generate between $3.9 and $11.1 trillion in economic value by 2025. But in order to realize this full potential, it's critical that consumers gain confidence in the security of their devices.
Akerlof noted that sellers can counteract the negative effects of this lack of trust by offering guarantees, which shift the risk from the buyer to the seller. Indeed, in the Accenture survey, 18 percent of respondents said they quit using smart devices because of the lack of security guarantees. Guarantees therefore perform a "signaling" function, directing buyers to sellers who stand behind their products. In the market for networked devices, this could take the form of explicit device lifecycle policies, cybersecurity support commitments or insurance-backed security guarantees.
Warranties are a particularly flexible mechanism for accountability, as they can be structured to guarantee satisfaction, performance, or quality. For example, a warranty could guarantee that a device is free from certain security vulnerabilities. In the event of a breach, the seller would commit to refund, repair, or replace the device. Warranties also can help companies demonstrate their commitment to cybersecurity, which is especially important for threat-detection or security software, or for certain highly sensitive Internet of Things devices like webcams or baby monitors.
There are already examples of warranties in the cybersecurity industry, such as the $1 million warranty that SentinelOne—a business-to-business cybersecurity software provider—offers in connection with its ransomware protection software, backed by SentinelOne's insurance policy. Insurance-backed guarantees have a secondary benefit: any resulting claims data can help insurance companies to better understand the risk and more accurately price products. Armor, another cybersecurity company, offers a $100,000 insurance-backed warranty against data breaches. According to Armor's policy, if a customer experiences a data breach, the company will help cover the recovery costs.
These arrangements do remain relatively rare, as few if any consumer-facing Internet of Things products have adopted formal guarantees to address cybersecurity performance. Moreover, widespread adoption of cybersecurity warranties will not be a cure-all for cyberattacks. But on the margin, wider use of warranties could encourage companies to compete on quality. Paired with the review functions offered by online platforms like Yelp and Amazon, market mechanisms like guarantees and warranties can improve the information consumers have about product quality.
It isn't that there is no role for government to play in helping to boost consumer trust in the Internet of Things. There are ongoing efforts by agencies like the National Institute of Standards and Technology and the National Telecommunications & Information Administration that could prove crucial to the future of cybersecurity and create standards for rolling out upgrades and patches. But rather than enforce prescriptive regulations that could kill innovation when it's still at its crucial embryonic stage, policymakers should look to foster the right conditions for the IoT market to provide more cybersecurity information.
Just as the used car market found mechanisms to earn consumer trust, the market for Internet of Things devices will undergo the same development, bringing us one step closer to ensuring the brave new world is both thriving and secure.
Anne Hobson is an associate fellow with the R Street Institute; James Czerniawski is an research assistant with the R Street Institute.