Regulation is the best hope for IoT security – imagine that!

Far from stifling technological innovation, regulation could in fact create lucrative new opportunities for security vendors.

gavels on a table governance compliance legal

Now that we’ve begun the new year, it may be the best time to revisit Internet of Things (IoT) legislation (even though the relevant bills have been on the Hill since the summer).

A recently introduced bill addresses perceived vulnerabilities in the security of IoT devices sold to the federal government, and medical devices that connect to the Internet. IoT device manufacturers would also have responsibilities to ensure security over the life of the devices. The counter-argument to this legislation, however, is that disclosure and certification requirements could create additional liability for device manufacturers.

Using buying power to push the security agenda

The IoT Cybersecurity Improvement Act of 2017 was intended to leverage government procurement strength to manage the security of IoT devices purchased by the federal government. Among other considerations, the bill would have vendors of Internet-connected devices ensure that the devices can be patched for security updates and are free from any known security problems when they’re sold to the government. What’s more, vendors must configure devices with changeable usernames and passwords, to protect against potential attacks by malicious actors.

The White House Office of Management and Budget (OMB) has been given authority to develop network security requirements for devices with limited data processing and software functionality. Each executive agency would be required to maintain an inventory of all of their IoT devices.

This makes sense. Right now, there is little guidance coming from the government on protecting IoT devices in the federal infrastructure.

In this case, the US lags behind its European counterparts, which  plan to introduce the so-called General Data Protection Regulation in May. That’s not to say the United States has done nothing – the FTC did introduce some IoT security parameters when white hat hackers demonstrated how easy it was to take over the controls of a Jeep in a demonstration in 2015.

Legislating parameters may not be enough

Of course, creating legislation is not the be-all and end-all to government IoT security. Bad actors are always coming up with new ways to get what they want, and enacting a law won’t keep them from doing their dirty work. That’s why a bill like the one currently proposed is better than establishing minimum standards based on today’s technology.

If vendors know that the ball is in their court to keep up with IoT device security, it goes a long way to giving government IT professionals more peace of mind – especially if vendors know that they won’t be able to sell their wares if they don’t pick up that responsibility.

Not everyone agrees with legislation of any kind. Some industry observers believe that small startups could suffer most from these kinds of restrictions – meaning that costs for manufacturers and consumers alike might skyrocket, and technological advances may stall.

Companies don’t need regulations to stay ahead of IoT security problems, the argument goes. Industry needs to show that it’s policing itself, which would do away with the need for any government legislation or intervention.

So even though some legislation now might be important to shore up IoT security, the industry seems to be equally interested in having standards set by trade associations or other bodies, to prevent what they feel might be overweening controls by legislators down the road.

Striking a balance

So where are we now? The challenge facing the industry and government will be to strike a balance on how IoT regulation and enforcement can meet federal security goals, while keeping pace with a rapidly developing and evolving technology.

By 2020, it’s estimated, there will be over 20 billion connected devices in use, and a quarter of attacks will use IoT by then. Common sense suggests that these trends will require some form of broad regulation. That in turn is likely to spur even greater IoT investment in state, local and federal government, because baseline security controls give public sector IT professionals confidence in the storage and transmission of data from these devices.

The inevitability of legislation and regulation should create an incentive for vendors to wrap security around their products. Far from stifling technological innovation, it could in fact create lucrative new opportunities for security vendors.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)