Here Come 5G IoT Devices: What Is “Reasonable Security”?
By John Dermody
After years of waiting for 5G technology to transform industry and consumer devices, developments at this year’s Consumer Electronics Show suggest that 2020 may finally be the year when US companies make the leap. Early signs show the healthcare and manufacturing sectors will lead the way this year in incorporating 5G and connected devices into their operations.
If the prognosticators are correct, our smart watches will soon talk to our refrigerators and order healthy groceries online. And our doctors may receive real-time health updates from our workout equipment, pharmacies, and implanted medical devices. The combination of 5G and the projected explosion in the number of IoT devices has industry excited, and the government focused on data security. 5G will allow massive evolution of products and services; leading to autonomous vehicles, remote surgery, and greater connectivity, automation, and precision in industrial manufacturing. This coming integration and reliance on connected devices—the Internet of Things (IoT)—raises myriad new privacy and security concerns, and lawmakers and regulators are ready to take action.
The New Year brought new state laws in California and Oregon focusing specifically on security requirements for connected devices. The laws are the first in the nation, and portend a coming wave of laws, lawsuits, and regulatory actions focused specifically on data security. Lawmakers are wrestling with how to keep consumers safe in the face of rapid technological advancement, and are falling back on the concept of “reasonable security” to bridge the gap. But reasonable security may not be an easy standard for engineers to implement.
The California and Oregon laws require manufacturers of connected devices to integrate reasonable security measures that (1) are appropriate to the nature and function of the device; (2) appropriate to the information the device may collect, contain, or transmit; and (3) designed to protect the device and its information from unauthorized access, destruction, use, modification, or disclosure.
This may seem like a simple threshold, but these laws’ definition of “connected devices” is expansive, potentially expanding the scope to include security cameras, household assistants, vehicles, and in the case of California, industrial manufacturing equipment. Each different category of device is going to have a different level of sophistication, different uses, different interaction with data, and different manufacturing requirements. What may be reasonable for a wifi-enabled juicer is not going to be reasonable for a connected vehicle.
The increasing inability of laws and policies to keep pace with advancements in technology means that efforts to address these issues are going to be crafted in an overly broad and flexible manner. The California and Oregon laws, as well as similar efforts at the federal level, reflect a struggle to empower the government to address problems, the exact contours of which are not completely known or understood. Rather than be behind the curve of a particular problem, these laws impose broad requirements that will evolve over time.
At the same time, laws run the risk of codifying standards that may be inapt or quickly become obsolete. The California and Oregon laws provide that “reasonable security” can be satisfied by equipping a device with a unique preprogrammed password or a requirement that the user generate a new means of authentication before gaining access to the device for the first time. This may be reasonable for some devices, but the law also covers devices where a compromise in security could result in significant physical harm, and where more stringent security requirements would be appropriate.
As security and encryption approaches continue to advance, the password requirements codified in the laws may actually be disincentives to the adoption of more effective—and reasonable—security practices. So this is leaving engineers asking the question, what is reasonable security? Unfortunately, “it depends” is the answer right now. Until regulators offer guidance on how they are going to interpret the requirements or, develop those standards through various enforcement actions, it will be up to manufacturers to develop industry-wide standards for what constitutes “reasonable security.” This may be particularly challenging in light of the expansive scope of these laws. The California Attorney General, at least, has previously endorsed the Center for Internet Security’s Critical Security Controls as a baseline for reasonable security. And some industries, like the automotive industry, already have good track records and mechanisms to establish industry standards. Emerging industries and existing companies unfamiliar with IoT and 5G, may not be in such an advantageous position.
If policymakers can get the law right, they will foster advancements and new industries that have not yet been conceptualized, which will generate enormous wealth, and could fundamentally change how our society operates. The national security community’s focus on 5G is not just about the potential compromise of information and the disruption of critical digital services. It is the recognition that whoever is best positioned to provide and take advantage of this technology will have a profound role in shaping the international economy and society.
Like the proliferation of privacy requirements, IoT security issues are not going away. Other states are considering bills like those of California and Oregon, and Congress is considering a number of bills that could impose or incentivize more stringent data security requirements. Federal regulators, such as the Department of Commerce, the Federal Communications Commission, and the Federal Trade Commission, have pending regulatory efforts or are demonstrating a renewed focus on data security. 2020 promises to be the start of a new era for IoT and 5G, and our laws and regulations need to step up to the challenge.