Can I interest you in a firewall for your toaster?
In September, the California state legislature enacted two identical bills regulating Internet-connected devices sold in California, aimed at developing minimum security standards for devices that make up the 'Internet of Things', or 'IoT'. The bills are among the first regulatory measures to be implemented worldwide that are specifically aimed at hastening the industry's response to the threat of IoT-based cyber-attacks.
The IoT is the name given to networks of devices that have components that allow them to connect to the internet, and that communicate with each other via this internet connection. IoT networks allow businesses and consumers to automate the completion and co-ordination of tasks (including making transactions) via the interconnected devices to make businesses more efficient, and domestic life easier. IoT-connected devices have been widely available on the consumer market for several years, and further commercial applications for the IoT concept are continuing to be developed. Recent reporting indicates that the value of transactions conducted through the IoT will experience a compound growth rate of 13.6% over the next five years, meaning that some $1.2t US may be transacted via IoT devices annually by 2022.
With the popularity of IoT-enabled devices (and with it, the amount of money being funnelled through IoT transactions) rapidly growing, the need for protecting users through effective regulation has already become apparent. A recent report by research firm Gartner found that nearly 20 percent of organisations that had deployed IoT-capable devices had experienced at least one IoT-based cyber-attack in the past three years. In January 2015, the US Federal Trade Commission (FTC) released a report that outlined the inherent privacy and security risks associated with mainstream IoT adoption, and urged manufacturers to (among other measures) build security hardware into IoT devices from the outset to insulate against third party attacks.
At the time that the FTC issued its report, it seemed that it would be in the best interest of IoT stakeholders to adopt the recommended 'best practices' when it came to security protocols in IoT products, even without a regulatory mandate. After all, it was essential that consumer confidence could be maintained in order for mainstream consumers to embrace IoT technology, and even one major security compromise could have a stifling effect on the burgeoning industry. However, for economic reasons, this has not been the unanimous response from manufacturers. For many manufacturers, consumer demand for IoT devices is not yet at the level so as to enable significant investment in security features. As a result, there are still many devices on the global market with little to no built-in security, which could have the potential to compromise the whole of any network that such devices are connected to.
The California legislation is drafted broadly, both in the scope of its application and in its requirements for compliance. The regulations will apply to any devices that are manufactured in California and are "capable of connecting to the internet, directly or indirectly", and require manufacturers to equip all captured devices with "reasonable security features that are appropriate to the nature and function of the device … [and] the information it may collect, contain or transmit… [to protect] from unauthorised access, destruction use, modification, or disclosure". While on one hand the non-specificity of the requirements for compliance allows for manufacturers to flexibly apply their own interpretation of what is 'reasonable', some manufacturers have called the wording 'egregiously vague', and have criticised the advantage that it gives to parallel importers of goods manufactured elsewhere, that are not subject to the same restrictions.
The latter point may become less of an issue in coming years, as it is expected that other jurisdictions will follow in California's footsteps. Though falling short of placing obligations on manufacturers, a federal bill is currently before the US Senate that would require US state departments to have certain clauses relating to security in any contract for the procurement of IoT devices, which would theoretically give manufacturers a commercial incentive to adopt robust security protocols. In the European Union, some IoT devices fall under the jurisdiction of the General Data Protection Regulation (GDPR) due to their data sharing and processing function. This means that not only are IoT device manufacturers compelled to consider security due to the GDPR's 'privacy by design and default' requirements, but also that IoT manufacturers or operators may need to provide facilities that allow users to communicate their consent to certain data being shared.
The application of the latter requirement may be difficult to pinpoint, given the connected and automated nature of the IoT. The EU also has in place a general directive aimed at cyber security which may impact IoT. The Directive on security of network and information systems (NIS Directive) does not place specific obligations on IoT device manufacturers, but does create a framework at the European community level for cyber-security notification processes, which may allow EU member states to more easily implement and enforce mandatory security requirements such as those now in place in California.
In New Zealand, the regulatory response has been slower to materialise. At present, an association of industry stakeholders (the New Zealand IoT Alliance) is administering a series of working groups that are aimed at developing industry standards and guidelines for a number of facets of IoT, including cyber security, data/privacy, and device certification. In the meantime, the New Zealand Cyber Security Strategy published in December 2015 (NZCSS) essentially promotes a 'buyer-beware', reactive approach to security of internet-connected devices, including IoT devices. The NZCSS also established the Computer Emergency Response Team (CERT), which serves as an industry watchdog, issuing public warnings of cybersecurity threats, and working with businesses and organisations that are affected by cyber attacks.
As is common with emerging technologies, the regulatory response to IoT security has struggled to keep pace with the development and adoption of the technology itself. In some places (including New Zealand), we are seeing this widening gap being filled by self-regulation from industry stakeholders, while other places serve as examples of the struggle to reconcile 'industry best practice' with harsh market realities. The new California legislation, through its deliberate vagueness, arguably serves as an indicator that regulatory development of the IoT space will continue to be industry-led for the time being, until a clearer picture of the risks and dangers can emerge. In the meantime, it seems likely that lawmakers around the globe will continue to monitor the early legislative efforts of places like California - while using their available tools to promote the development of their domestic IoT industries without putting consumers at undue risk.
You must be logged in in order to post comments. Log In