With Bruce Schneier, CTO of IBM Resilient, stating, “You can’t talk about regulation versus no regulation — that ship has sailed. Now it’s about smart or stupid regulation,” at the RSA Security Conference in February, it’s time to get the ball rolling. But what’s already being done?
The truth is, not much.
The U.S. Senate introduced a bipartisan bill this August calling for minimum security requirements for IoT devices used by the federal government, though its recommendations are very general, not to mention limited in scope. According to the proposed bill, vendors will be required to ensure that their devices are patchable, rely on industry standard protocols, do not use hardcoded passwords and do not contain vulnerabilities. While the senators introducing the bill expressed their concerns about the lack of security for IoT devices, little is being done by regulatory authorities to address commercial and consumer applications of the technology.
Some of the first vestiges of regulatory policy are now being drafted in the EU, as IoT security and privacy relates to GDPR compliance initiatives, and in the U.S., though currently the only state that seems concerned about the impact of emerging technologies is California. In the latter case, the State of California Senate drafted Bill 327, not yet ratified, asks for built-in security features from connected device manufacturers. It also would require manufacturers to “equip devices with reasonable security features,” “design the device to let the consumer know when information is being collected,” and require direct notifications to consumers of relevant security patches and updates.
Alongside California, the U.S. FTC pales in comparison. The regulatory body has done little but encourage device manufacturers to take security into account, and, to date, has only issued one formal report on the topic that pertained solely to consumer devices, failing to take enterprise and commercial applications into account. There are other initiatives, such as the Open Web Application Security Project and NIST, which has issued reports governing specific security issues, but has yet to address overarching security and privacy concerns arising from IoT devices.
What NIST does do is identify the constraints of IoT devices that may present security concerns, such as the need for continuous power consumption, which could cause the prices of the devices to increase if encryption or security features are required, the low cost (referring to the previous point) and the lifecycle of the products, which is usually short, therefore making patches and updates a burdensome, if not impossible, process. So, if some of the Western world’s largest and most authoritative regulatory agencies aren’t willing to take action, who will?
At this point, that also remains an open question, but there are some necessary areas that IoT security and privacy regulations should address. Firstly, there is the issue of unauthorized access. IoT device manufacturers should be required to tie a strong authentication factor into use of the device. This can be easily achieved through existing methods like multifactor authentication or creating unique user credentials.
Second, there is the issue of access. Who in their right mind would keep the default passwords issued by the manufacturer when they are usually “1234” or “default?” Many of these passwords are accessible online through services like the Shodan Network, where you can look up nearly any connected device and extract its factory-issued username and password. The sad part is that so many consumers and even enterprises trust the manufacturers to be “security first.” The sadder part is that they aren’t. That’s why a security-first mentality is essential if any IoT regulation is going to work.
Another issue is data privacy — what is the limit to the information that can be collected, stored and shared over the internet? Consumers, and even more importantly enterprises, need assurances that their data is protected, and they need to be able to protect such data with strong passwords and authentication credentials. What happens if the smart IT guy hacks the smart coffee machine, thereby gaining access to data-loaded areas of the network with everyone’s salary information? The consequences could be significant, but such scenarios are usually afterthoughts in light of IoT’s innovative appeal.
No matter the structure or source of the regulation, what’s true across the board is that it needs to come fast. The FTC issued its third IoT-related enforcement complaint against the company D-Link at the beginning of this year because the company promised consumers that its wireless routers and IP cameras were secure, when they were far from it. According to the FTC, D-Link could have taken reasonable steps to secure its products against “widely known and reasonably foreseeable” risks. A slap on the wrist or a fine is not enough to make IoT manufacturers change their way of doing business. To achieve the desired security-first approach, stringent top-down directives are needed.
The one obvious drawback of regulating IoT technology in what is still considered an early and transformative phase is that it may have the reverse effect, or make IoT inoperable. However, with the number of real-world examples of IoT going haywire and wreaking physical and monetary havoc on companies and individuals, there is little time to consider how to lightly drop the IoT security bomb.