Is It Time for the Fed to Mandate IoT Security Standards?
By Dan Fries
You can tell a problem has been around for far too long when the government starts talking about solving it. IoT security is one of those problems. It seems that in the rush to develop faster, smarter IoT devices, one important aspect was left behind: security.
Although most developers consider security one of the most important factors when designing IoT devices, certain aspects of IoT lag behind. One is the infrastructure needed to make these devices truly secure. Another is the level of knowledge among the general public about how secure (or insecure) such devices are. Finally, to date, there’s been no governmental guidance on what constitutes the appropriate level of security for them.
That may be about to change. But should it?
Security and IoT
There are a couple of reasons why IoT security is of particular concern at the moment, to the Fed and to others.
One is simply that IoT device manufacturers have prioritized new features and functionality when bringing new products to the market, while leaving a startling array of security vulnerabilities. Another is the rising awareness of cybersecurity among both the general public and lawmakers, who are increasingly concerned about their data being leaked into the public realm.
More specifically, the sheer amount of data that IoT devices collect, as well as the deeply personal nature of a lot of this data, should make consumers uncomfortable about using them. For instance, smart home hubs, like Nest, and home security systems both record data that is potentially critical to other aspects of a user’s cyber-physical security.
Given this, it’s surprising that IoT security hasn’t been raised at a federal level until now.
The Fed’s Proposals
The Fed’s recent proposals follow the introduction of several pieces of similar legislation both in California and in the UK. The UK government is already moving forward with new IoT security legislation that ambitiously tries to cover every device consumers use, from smartphones to home hubs to heating systems.
In the US, California has gone the furthest when it comes to IoT security. California’s IoT security law SB-327 bans the use of default passwords on IoT devices and prohibits the manufacturer from including a “reset to factory settings” option. Every manufacturer of an internet-connected device must also put “reasonable” security features in place that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.“
This bill has been criticized as not going far enough; it’s not due to come into effect until 2020. Yet, this is the basis on which the lawmakers and witnesses in front of the US Senate Committee on Commerce, Science and Transportation’s Subcommittee on Security recently debated about how to make IoT devices safer and more transparent for consumers.
The idea is based on the UK’s proposed legislation. It contains three core principles:
- The passwords that are used by IoT devices should be unique to every device, and users should be unable to reset these to a “default” password.
- IoT manufacturers should provide a public point of contact for users and publicly disclose any discovered vulnerabilities to them.
- Manufacturers of IoT devices should also guarantee a minimum length of time during which they will support each device with security updates.
It’s also been proposed that the private sector collaborate on developing an IoT security certification seal similar to the Energy Star on energy-efficient products, so IoT devices that meet these minimum requirements can be labeled as secure.
Should the Fed Be Involved?
Some minimal scheme, such as that outlined, is likely to gain public support among the section of the public that pays attention to cybersecurity issues, as similar proposals did in the UK.
But this support masks some larger issues. One is that there remains a huge knowledge gap between advanced users and casual users, when it comes to IoT devices or anything else. Consumers who have taken the time to set up their own IoT networks, and those who are reading this article, are probably already using a VPN to encrypt their data. Less advanced users, on the other hand, frequently give consent for their data to be made public without realising what they’re doing.
The other issue is that any legislation that the Fed passes is likely to be out of date by the time it comes into force. The rules passed in California are a good example: some companies are already exploring the use of AIs to secure IoT systems, and by 2020 (when these rules come into effect), lawmakers will have another set of technologies to worry about.
In short, the debate over IoT security is an example of a much broader issue: social and legal systems are simply not fast enough to keep up with the rapid spread and development of technologies like IoT.
All this said, we should not shy away from the Fed’s proposals. If they come into force as they are currently proposed, they will essentially award a “security star” to companies that are already following responsible IoT security practices. There’s no problem with recognizing this via a formal scheme and with increasing the average user’s awareness of the security risks of (some) IoT devices.
But the Fed can never be – and should never be – the ultimate guardian of cybersecurity, whether on IoT devices or any others. The machinery of government is simply too slow nd the knowledge of lawmakers too minimal. Instead, users should be encouraged to take their own security seriously and to secure their own devices in the same way they secure their homes.