Where are the IoT security startups?
Security is a broad concept even within a specific arena such as embedded systems. Basic security principles are applicable whether the asset to be protected is physical or virtual, so one can understandably question the appropriateness of confining a discussion about security to a particular market such as the Internet of Things (IoT). The IoT is unique, however, in the way its assets stretch out broadly across both physical and virtual domains -- encompassing individual devices and open communications channels at known sites as well as geographically dispersed data sets and application running on virtual servers. Rather than some nicely compartmentalized system, an IoT application is pretty much a security nightmare from end to end. Even so, you'd think that the dissonance between excitement over IoT opportunities on one hand and concern about IoT security on the other would yield a rich breeding ground for companies targeting IoT security. Yet, in its latest look at 60 noteworthy startups, EE Times identified only one security-related startup, which begs the question: Where are the IoT security startups?
From a security point of view, the IoT is different from nearly any other application segment. Few applications expose as many threat surfaces simultaneously. Industrial network applications probably most closely resemble IoT applications but have the distinct advantage of physical protection and isolation. Even so, closed industrial networks have been famously compromised. In contrast, a typical IoT application is open and easily accessible. IoT security solutions must start with the assumption that security is compromised at the outset, because anyone can physically acquire one of the application's IoT nodes and attack it in the comfort of their own home workshop or nationally funded laboratory. Not suprisingly, researchers have exposed security flaws in connected products including automobiles, closed-circuit cameras, and even light bulbs. Concerns understandably remain over zero-day vulnerabilities across the connected world.
That challenge, in a nutshell, is the easy answer to the dearth of IoT security startups: It's really really hard. Yet, that very kind of challenge has always attracted some of the best minds in math, science and engineering. The true answers might have less to do with technology than with business factors. In its recent report, Cybersecurity Venture Investment in Pervasive Computing and the IoT, Lux Research looked at 77 IoT-related startups and found a remarkable shortfall in venture funding. According to Lux Research, the 77 startups it studied "...raised just $808.6 million in venture funding over the last 16 years -- and 42 of them had little or no venture backing at all."
It's interesting to note that in both the EE Times list and in the Lux Research report, some of the companies have been around long enough to stretch the definition of "startup." In terms of market presence, however, these companies are in a long-running battle for recognition. IoT security-solutions vendors face a cost-sensitive market and security is a cost that does not translate into a new, exciting feature for the user. Cybersecurity vendors often say that their products are like insurance -- something nobody wants to pay for until it's too late. Adding to the difficulty, good security imposes certain demands on product users, who typically balk at extra steps required to actually get a "connected" product online (see typical user comments for any home-based Wi-Fi router or access point).
Along with the difficulty in proving commercial viability, third-party security-solution providers face a significant legal challenge. As Lux Research points out, the anti-circumvention rules in Section 1201 of the Digital Milennium Copyright Act prohibits developers from bypassing a device's own code without permission from the rights owner of the device code. While efforts are underway to sue for injunctive relief from anti-cimcumvention restrictions, few startups or venture financiers can afford to rely on expectations for an individual waiver much less a quick, satisfactory legal or legislative solution. On the other hand, perhaps another possible answer to the lack of security startup visibility lies hidden within the constraints of Section 1201. We'll never know how many stealth startups are working security solutions in close cooperation and with funding from industry leaders looking for security solutions for their connected automobiles, medical devices, and others. Similarly, we'll never know how many stealth startups are adhering to the basic rule of security: Keep quiet.