Should the US Government Establish IoT Security Legislation?
By Maxine Bingham
Editor-in-Chief, IoT Perspectives
February 27, 2015 – Santa Cruz, CA
(Image above courtesy of Stuart Miles, freedigitalphotos.net)
The recent hacking of Anthem, of Anthem Blue Cross fame, and one of the largest health insurers, reveals a worrisome fact of modern day life (and to most of us here in Santa cruz). Information is just not secure to determined, and sophisticated evildoers, especially state-sponsored (China is suspected in this hacking of 80 million people’s data). How worrisome then, are the security concerns with the rise of the Internet of Things (IoT) that depends upon connectivity to the Internet and/or between humans and devices?
The likelihood, as security consultant Bill Bonney and I agree (see his recent posts on IoT security in IoT Perspectives) is that a major security breach in an IoT company is not an “if,” but a “when,” and, we think, this year, as IoT becomes more ubiquitous – whether it’s device to person, or machine to machine communications (M2M). In my view, the publicity alone could be an enticement to some nefarious hacker group.
Thus, at all the conferences I attend, I ask speakers and panelists – “what about IoT security?” “Why isn’t the industry coming together on this?” The answers I get are evasive in the extreme.
I don’t see security concerns as something that will inhibit the spread of IoT, since we all participate in giving our data freely as it is. And, like closing the barn door after the horse has fled, I only expect companies to take IoT-specific security seriously after some incidents have occurred and consumers yell loud and hard.
Thus, in the midst of what appears to be a black hole of planning by industry, the US Government has stepped in (although the Industrial Internet Consortium has security as one of its working groups – we’ll see how well that progresses). In addition to planned Congressional hearings, the Federal Trade Commission (FTC) has released a January 2015 report on “The Internet of Things, Privacy & Security in a Connected World.”
Let me quote part of the Executive Summary about security and legislation:
“…the FTC hosted a workshop on November 19, 2013 titled The Internet of Things: Privacy and Security in a Connected World (who participated?). This report summarizes the workshop and provides staff’s recommendations in this area. Consistent with the FTC’s mission to protect consumers in the commercial sphere and the focus of the workshop, our discussion is limited to IoT devices that are sold to or used by consumers.
…There appeared to be widespread agreement that companies developing IoT products should implement reasonable security. Of course, what constitutes reasonable security for a given device will depend on a number of factors, including the amount and sensitivity of data collected and the costs of remedying the security vulnerabilities. Commission staff encourages companies to consider adopting the best practices highlighted by workshop participants, including those described below.
First, companies should build security into their devices at the outset, rather than as an after thought.
As part of the security by design process, companies should consider: (1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and retain; and (3) testing their security measures before launching their products.
…When companies identify significant risks within their systems, they should implement a defense – in-depth approach, in which they consider implementing security measures at several levels…Finally, companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.”
Notice repetition of the words, “consider implementing,” and “reasonable.” What is the definition of “reasonable?” After the barn door has shut?
“Participants also discussed whether legislation over the IoT is appropriate, with some participants supporting legislation, and others opposing it (who were these participants?). Commission staff agrees with those commenters who stated that there is great potential for innovation in this area, and that IoT-specific legislation at this stage would be premature. Staff also agrees that development of self-regulatory programs designed for particular industries would be helpful as a means to encourage the adoption of …security-sensitive practices.
However in light of the ongoing threats to data security and the risk that emerging IoT technologies might amplify these threats, staff reiterates the Commission’s previous recommendation for Congress to enact strong, flexible, and technology-neutral federal legislation [emphasis added] to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach.
General data security legislation should protect against unauthorized access to both personal information and device functionality itself [emphasis added]. For example, if a pacemaker is not properly secured, the concern is not merely that health information could be compromised, but also that a person wearing it could be seriously harmed (former VP Dick Cheney wouldn’t have an IoT heart device as he was concerned about serious harm by hackers).”
So, it all depends on one’s point of view. Since agencies and legislators want to legislate as their raison d’etre, will this inhibit commercial growth by adding onerous, costly and possibly ineffective laws regarding our Nest thermostats, Fitbits and lighting automation, or, do we need the government to step in to try and protect us?
Considering the serious problems of the “Obamacare” web site that took years and over two billion dollars to develop, (Covered California’s web site made enrolling for 2015 virtually impossible as the deadline loomed), I am not sanguine about allowing the government, of all “people,” to drive technology regulation for IoT security. Who would they listen to? What would be those individuals’ and companies’ skin in the game? Who’s going to ensure technology “neutrality?” That doesn’t even happen with so-called industry standards.
Industry really has to step it up, and work with consumers and enterprise customers to ensure more than “reasonable” security for IoT solutions and devices.
There are many IoT standards bodies, primarily concerned with interoperability. Many companies feel that security should be handled by each company in its own way. However, with the US Government breathing down our necks, if industry – and investors who fund innovation – don’t make IoT security a major focus, then, the government will.
Considering the Obamacare technology debacle (which is still on-going), as well as foolish and unwarranted venture capital-type investments in alternative energy, I come down on the side of those who hope that the wheels of government will grind slower than industry’s.