Security is set to become the hot button issue in the smart home this year, as more connected devices come online and more hackers attempt to infiltrate corporate and consumer networks through connected gadgets. The FBI even issued a warning about connected home products(Opens in a new window).

The concerns about security and the smart home are well-founded. Several devices from connected cameras to smart home hubs have been hacked(Opens in a new window). Even light bulbs aren’t immune.

A survey issued by Intel on Thursday found that 77 percent of those asked believe smart homes will be as common in 2025 as smartphones are today, but 66 percent are also very concerned about smart home data being hacked by cybercriminals.

The looming threat of the hacked home is why the Atlantic Council worked with three security researchers to issue nine recommendations to make the smart home more secure. The report is a collaboration between the Atlantic Council think tank and I Am The Cavalry, a independent security research group. I Am The Cavalry has issued a framework for securing connected cars(Opens in a new window) and connected medical devices(Opens in a new window).

Beau Woods, an author of the report and the deputy director of the Cyber Statecraft Initiative at the Atlantic Council, explained fear of hacking has hindered consumer acceptance of the smart home. The smaller market has its own effects on the industry’s security practices, making it harder for start-ups to invest in security, and leading them to business models that may drive even more consumers away.

The goal of the Atlantic Council’s report is to lay the groundwork for the creation of a new smart home security framework in a few months. Most of the recommendations are uncontroversial, but I can’t think of a single product that follows all of them today. They are:

• Security by design—Assume that someone is always trying to hack your product and react accordingly. Also, keep devices and software as simple as possible to reduce the surface area available to attack.
• Third-party collaboration—Don’t sue people who bring security flaws to you.
• Failure investigation—Track your failures and review them so they can’t happen again.
• Remote updates—Build for remote updates, and ensure the means of delivering those updates are secure.
• Safe failure modes—When something is hacked, make sure it can’t do much damage. Today weaknesses in the smart home tend to spread from one device to others. Efforts like Nest’s Weave protocol, which ensures that devices can only talk to certain other devices, can help stop the spread of malicious software, for example.
• Standalone operation—Make sure the manufacturer understands and communicates what parts of a device will work if there is no Internet connectivity. Also, it may make sense to buy back obsolete devices rather than continue to support them.
• Safe options and defaults—Ensure that default settings are “reasonably” safe and tell owners how to further tweak and secure their devices. Don’t force them to become a network engineer.
• Data protective measures—Make sure customers understand how their data is protected. Ensure they know how to safely remove remove data if they lose or sell the device. Additionally, make sure they can remove their data in case of device theft.
• Informed consent for data use—Tell users how their data will be used and how they can opt out. Don’t forget to include a section on how you plan to deal with their data in case of a sale or if you intend to share the data with third parties.

For the last one I’d like the industry to also understand what third parties plan to do with their user data, and communicate that to consumers. I might trust Amazon with my Echo  utterances, but if Amazon wants to share that with a third party, it’s not enough to say it is doing so. I’d want to know that Amazon has limited what that third-party can do with my data.

In general, these recommendations codify the current best practices for device security without directly mandating how the devices should be secured. You won’t find dictates about how databases of user passwords should be secured or what level of encryption the devices should use.

Already, companies are stepping up in those areas, but the Atlantic Council report brings up a bigger challenges, such as the lack of incentives for companies to build in better security. From the report:

In the United States, there is no software liability, so the costs of security failure fall to the buyer. Though many device makers are conscious of security concerns and want to do the right thing, investing in better security may not make sense from a monetary, cost-benefit standpoint. For device makers, the cost of reducing security risks may not outweigh the benefits from securing their products—especially if they are delayed to market. Furthermore, any incentive to invest in better security may be even smaller, considering that many of the potential security risks might never affect consumers. How much should a device maker spend when the costs of failure do not directly affect them?

Steve Grobman, chief technology officer for Intel Security, points out another problem with incentives. Namely that because many of these devices have a long life cycle but are relatively low-margin, manufacturers may not want to support them over the entire life of the product.

“How do we change the incentive model when device life cycles and security maintenance on devices are not aligned?” he asks.

Instead of a regulatory solution, such as the FTC stepping in to assess fines, Grobman thinks that consumer education about what they are buying will help. A more likely area of help will come from new business models where device makers can generate revenue in the long term from a connected device. At that point they will have an incentive to keep the product patched and working.

Until then, manufacturers have the Atlantic Council and I Am The Cavalry recommendations.