Live: Samsung Unpacked Live Updates Galaxy S23 Ultra First Look Apple's iOS 16.3 Release 9 Ways to Celebrate Black History Month Best Indoor Plants HomePod 2nd-Gen Review 12 Best Cardio Workouts Salami, Sausage Recalled
Want CNET to notify you of price drops and the latest stories?
No, thank you
Accept

Burden of Tech Security Rests on the Wrong Shoulders

Right now, consumers must do the heavy lifting. But industry watchers at CES say companies must finally get their priorities straight.

Crowds at CES 2023
Hey, tech industry, security shouldn't be an afterthought.
James Martin/CNET

It's easy to get caught up in the flashy and futuristic tech rolled out at CES. Where else are you going to see flying cars, toilets that test your pee and so, so many robots?

That all may seem incredibly cool. But that new tech, which is often collecting oodles of personal data from untold numbers of consumers, highlights the need for tech companies to make security and privacy the priority and to build it in from the get-go.

Often, when it comes to tech design, data protection concerns are pushed to the back burner in favor of exciting new features, keeping costs low and getting the tech to market quickly, Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, said during a CES panel.

That's partially due to a lack of accountability from both the government and the public in general. 

"We don't seem to be recognizing that as a fundamental safety issue," Easterly said, adding that while companies have lots of incentives to make products cheaply and quickly, there isn't a lot out there to entice them to make them safe.

That, unfortunately, puts the burden of securing technology on consumers, who are least able to understand cyberthreats and defend themselves against them, Easterly said.

CrowdStrike CEO George Kutz, speaking on the CES panel, said average people shouldn't have to think about security beyond the most basic of levels.

When consumers buy a piece of tech, such as a home security camera, they should get some kind of guarantee that it'll be secure and supported with software updates for a certain amount of time, say five years, Kutz said. After that, they might be on their own, but they won't have to think about it in the meantime.

"Until there's some level of oversight and regulation and, you know, some sort of sensible practice in how people purchase these things and how they look at security as a differentiator, you're going to have the same situations occur over and over," Kurtz said.

Dan Berte, head of internet of things research for Bitdefender, said it wouldn't be asking a lot for tech companies to secure and support their products for at least a few years.

Berte's team spent much of the last year dissecting vulnerabilities in several brands of internet-connected cameras. They discovered security problems in several products, which they then reported to the companies, but he said it was a battle to get many of those companies to acknowledge and fix those problems.

"I think responsibility should be required by law -- that you provide instant patching and support for three years, especially if a vulnerability is reported," Berte said in an interview with CNET.

Companies that fail to do this should be fined, and repeat offenders should have their products pulled from the market, he said. 

If nothing else, tech companies should be required to be transparent with consumers about what their technology contains in terms of security protections, just like how food makers are required to list ingredients in their products, Eastery said. 

That way people will have a better chance at making smart choices about what kinds of tech they bring into their homes. That transparency also could push tech companies to put more emphasis on securing their products by default, she said.

"Technology companies are actually pushing and trying to get there, but from a consumer perspective we really need to be demanding better safety in our products," Easterly said.