Internet of threats: Managing risk and governing it
By now, we have an understanding that IoT devices, while useful and convenient, come with many security concerns. The simplicity that consumers love about IoT devices is, in fact, what makes them so risky. IoT devices are easy to connect to remotely by just about anyone and, unfortunately, not just by the people one would wish to share access with. IoT devices are found everywhere — on your wrist, in the office, driving down the street, etc. — and therefore putting corporate and personal data at risk. It’s time for government agencies and organizations to get involved, and enforce regulations around the security of these devices.
The good news is that June was an important month in moving the conversation forward in regards to IoT security legislation in the United States. We’ve witnessed huge strides toward addressing the ever-increasing need for IoT security regulation and management in the United States and globally.
- An IoT bill cleared the House of Representatives Commerce Panel. This bill directs the Commerce Department to study and report to Congress within one year on the U.S. internet-connected device industry, including voluntary and mandatory standards that are being developed around the world for the IoT sector, clarifying which federal agencies have jurisdiction over the sector and any regulations or standards those agencies have put in place that would impact the IoT industry.
Insight: This seemingly small directive is actually a great step in the right direction and will advance the conversation on IoT as it will bring attention to the different areas that currently lack legislation as far as minimum IoT security standards and which agencies have jurisdiction where it comes to (the currently nonexistent) enforcement. - A comment by the staff of the Federal Trade Commission’s Bureau of Consumer Protection to the Consumer Product Safety Commission about the potential privacy and security issues associated with internet-connected consumer products. The FTC warned that poorly secured IoT devices could pose a consumer safety hazard and outlined ways to mitigate such risks. For instance, a car’s braking system could fail if infected with malware, and carbon monoxide or fire detectors could stop working if they lost their internet connection
Insight: Beyond the obvious safety concerns that this comment raises and the outlined ways to mitigate the risks which could save lives, it also advances the general conversation about the lack of security standards in the IoT industry. - The FTC suggested considering security disclosure rules for connected device makers.
Insight: If IoT makers are mandated to clearly disclose their security protections, it would presumably help consumers in making better decisions when purchasing IoT devices of different types. It would also provide an enforcement option for the FTC to go after IoT manufacturers that misrepresent their security protections.
What does this progress mean for consumers and manufacturers?
Most consumers may not yet understand the importance of assessing the potential damages that can be caused by their many IoT devices. This is primarily because the damage in many cases is not personal. An army of bots will cause damage to society at large and not just to the individual using the device (although clearly a bug that crashes a car would be considered personal damage).
From the viewpoint of manufacturers, once they start investing in security patching, the price of IoT devices will go up and a pricing competitive edge could be lost. Without legislation equalizing the playing field, there would be substantial inequality in the price that the vendors would be charging, and so legislation would provide an equalizing force in the market.
On the flip side, strong internet security regulations on manufacturers of IoT devices would encourage security upgrades for competing companies that would like to sell in the U.S. and any software improvements would be available in the devices anywhere they are sold, as it makes sense to have one concise version of software.
Bruce Schneier, CTO at IBM Resilient and longtime advocate for IoT security regulation, has said on many occasions that the government should impose basic security standards on IoT manufacturers, forcing them to make their devices secure, despite the fact that most customers are not aware of security’s importance. He rightly notes that this is an international issue and that IoT devices made in other countries could still be used in distributed denial-of-service attacks to bring down U.S. websites in botnet attacks.
Once governments see the benefits regulation will offer society, they will be enhanced, causing vendors to provide a basic standard of security measures. These would include investing in centralized security patch updates (security by default) and a standardized number of years in which each device must provide the software patches. Government should actively be seeking legislation to regulate and manage IoT risks and threats by expanding device security measures. There are so many vulnerabilities in IoT, and hacking IoT devices is so easy that we must proactively seek solutions rather than wait for disasters or emergency situations to force reactive responses.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.