Building a Case for Legislating IoT Security
Category : Gemalto
Earlier this summer, US lawmakers proposed a new legislation that will seek to address vulnerabilities in Internet of Things (IoT) devices. The IoT Cybersecurity Improvement Act would require vendors that provide internet-connected equipment to the US government to meet a set of basic security requirements that limit the risk of exploitation and cyberattacks.
Some might ask why we need legislation to protect the IoT – after all, it hasn’t been required in many other areas of technology. Most importantly, the significance of this legislation is that it provides evidence for the government’s growing concern for cybersecurity. But there are a number of reasons why it can be a good idea.
To create a set of common rules
The Act is focused on the US government’s procurement of IoT devices, and suggests several key security rules, notably:
- Ensure all devices sold to the US government are patchable
- Require IoT vendors to not include hard-coded passwords that can’t be changed
- Require devices to be free from known security vulnerabilities
These are important to stop repeats of the Mirai attack that compromised chronically insecure internet-connected devices in 2016 and impacted the whole internet with a snowball effect. Ensuring that devices are always patchable and passwords can always be changed would go some way to helping to shut down a similar attack. And although the legislation is designed principally to protect the US government, the same principles could be hugely beneficial for IoT security at home or in the enterprise.
To help inexperienced companies
It’s important to remember that the IoT is not just restricted to technology companies. Companies in any sector could conceivably become IoT vendors – whether they make toasters or clothes or anything else. These companies do not necessary have the security heritage or expertise they need, also their market may not be able to stand the additional costs that would require. Similar rules would help them understand what’s required and stop products being released before they are fully protected.
To extend security updates practice to any connected-product
People generally understand that their computers or smartphones often need software updates to close security gaps – but asking them to do the same with other types of connected device – e.g. a smart hi-fi system or connected washing machine – might not be as fruitful, as consumers are simply not used to having to update these types of appliance. And while devices like laptops and smartphones are typically replaced quite regularly, other connected devices could be used for years – meaning that companies need to be prepared to protect them over a longer term. So, this legislation could be an important first step in ensuring that manufacturers make life as simple as possible for consumers buying into the IoT and contributing to the global web safety.
To continue building the ecosystem
The IoT is all around us and is already making our lives more convenient. By the end of this year there could be as many as 8.4 billion connected devices, while Gardner predicts that spending on IoT services and endpoints is set to reach almost $20 trillion by 2020. These statistics speak about the huge potential of IoT and how quickly it’s becoming part of our everyday lives. Not to mention that IoT is the foundation for the driverless car and the smart city of the future. However, getting IoT security right is paramount if we are to realize its huge potential – and more high profile cyber incidents could dent confidence or dampen consumer interest.
The focus of the proposed legislation was echoed at the recent Black Hat USA conference, by the US Federal Trade Commission. The Commission, which aims to protect consumers, has also been looking at IoT security and come to several similar conclusions – notably that manufacturers should disclose a minimum period for security support so that consumers can understand how long a device is intended to work.