As the Internet of Things (IoT) becomes more popular in enterprises, the likelihood of security breaches increases. Hackers view these devices as vulnerable points to enter systems, steal data, and ultimately wreak havoc on an organization. In response, US senators Mark Warner, Cory Gardner, Ron Wyden, and Steve Daines recently introduced the Internet of Things Cybersecurity Improvements Act of 2017.
Legislation is one of those things that often seems like a good idea at the time. This act could provide valuable guidelines for IoT security–but it could also add unnecessary complexity to the compliance and IT department. And some experts say it may not go far enough to be of real value.
The current bill asks vendors that sell internet-connected devices to the government to ensure that their products are patchable. While that’s a good start, it doesn’t include consumer devices, leaving them vulnerable, noted Jim Hunter, chief scientist and technology evangelist at Greenwave Systems.
“So far, the only penalty for device-makers who prioritize getting a product to market without basic security features is bad PR,” he said. “Legislation can enforce what device-makers should already be doing.”
The elements of successful legislation
At the very least, Hunter said, any IoT security legislation needs to be shaped around existing security standards, such as changeable passwords, mandatory vulnerability patching, the ability to detect suspicious access attempts, and plans to minimize damage should an attack occur. “These standards are reasonable requirements that are in line with engineering protocols that other manufacturing disciplines follow.”
The US could take some cues from Europe–in particular, the European Union’s General Data Protection Regulation (GDPR), slated for enforcement next year. “With GDPR, the European government sets a good example by putting an emphasis on protecting its citizens’ privacy and data,” said Gorav Arora, data protection CTO at Gemalto. “Similar legislation is needed in the US, and the massive Equifax breach might be the watershed moment.”
Of note is that the Federal Trade Commission (FTC) did issue a set of IoT security guidelines after the notorious Jeep hack a few years ago. The thoroughness of the guidelines could help mitigate security risks for those involved in working with IoT devices, and if IT departments start now, they can get a jump on any regulations that might come into play later, Arora said.
IoT devices continue making inroads in the business world, so organizations should have a defined IoT structure in place to ensure that data and operations are properly secured. These guidelines cover the procurement, usage, and administration of IoT devices, whether provided by the company or employee owned. Free for Tech Pro Research subscribers.
Legislation may not be a panacea
However, even the best intentions from legislation may not be enough. “It’s difficult to impossible to legislate security,” said Sean Sullivan, security advisor at F-Secure. Laws and regulations are rarely future-proof, and general regulations require an agency to enforce them. The government is already overburdened with agencies, he said.
Sullivan believes that the IoT Cybersecurity Improvements Act of 2017 and associated legislation, which requires security for IoT providers to the government, might be a step in the right direction. “If the government wants to affect IoT security, then the US and other governments should use their purchasing power to reward vendors that live up to certain standards–and to ban government purchases of those that do not,” he said.
Overall, though, legislation may do more harm than good, said Richard Henderson, global security strategist at Absolute. “Forcing IoT device manufacturers, especially smaller ones or startup companies, to adhere to some nebulous set of rules is likely to have a deleterious effect on the technology.” He said it would drive up costs for both the manufacturers and the consumers, whether those consumers are enterprise or not. In addition, legislation often moves slowly much more slowly than technology develops.
But Henderson also said that most companies are already on top of IoT security. That self-regulation may be more valuable than anything passed by a governing body, although the EU seems to be taking the lead. “If the majority of tech companies out there can get ahead of the game and show they’re taking secure development and long-term support of IoT devices seriously, maybe governments won’t need to step in.”
The takeaway for now is that legislation may help in the short term to secure IoT devices. However, for truly comprehensive guidelines, it may be up to industry associations to set standards, as legislative bodies are often slow to act. The EU may be on the right track, and the Internet of Things Cybersecurity Improvements Act of 2017 may also foster a more secure IoT environment. But legislators must be careful not to pass burdensome laws that could stifle innovation.