The global explosion of IoT (Internet of Things) is already in full swing, along with an equally powerful increase in malicious hacker attacks. Ensuring information security on the Internet is becoming a priority for IoT developers. The American Internet resource, which is devoted entirely to IoT, today raised the following question: is it time for the federal government to put in place the security standards of the Internet of things? How to involve the manufacturer in all this? Cybersecurity analyst and author of the issue, Dan Fries, found that there are arguments on both sides of the topic.
There seems to be one important aspect in the quest to develop faster and smarter IoT devices: security.
While most developers consider security to be one of the most important factors when developing IoT devices, some aspects of IoT are lagging behind. One of them is the infrastructure necessary to ensure the security of these devices. The other is the level of knowledge of the general public about how safe (or unsafe) the artificial intelligence of the Internet of things (Skynet from the Terminator and the Matrix are immediately remembered). Finally, to date there has been no government guidance on what constitutes an appropriate level of security.
This may change. But should it?
Security and the Internet of Things
There are several reasons why IoT security is of particular concern to the US Federal Reserve and other agencies in other countries.
One of them is simply that IoT device manufacturers gave priority to new functionality when introducing new products to the market, while leaving an amazing set of security vulnerabilities. Another is the growing awareness of cybersecurity among both the general public and lawmakers, who are increasingly concerned about the leak of their data into the public sphere.
More specifically, the sheer amount of data that IoT devices collect, as well as the deeply personal nature of many of this data, should make consumers inconvenient to use it. For example, Nest’s Smart Home Internet of Things and home security systems record data that is potentially important for other aspects of the cyber physical security of the user.
Given this, it is surprising that IoT security has not been enhanced at the federal level so far.
Smart voice speakers are gaining popularity in Russia, which also need to be “followed” by a simple consumer, otherwise they will “follow” you. Although the Federal Law 187 “On the Security of Critical Information Infrastructure of the Russian Federation” helps you.
Back to the USA. Recent Fed proposals have followed the introduction of several similar laws in both California and the UK. The UK government is already moving forward with new IoT security legislation that is ambitiously trying to cover all the devices consumers use, from smartphones to home concentrators and heating systems.
In the USA, California has become the most backward state when it comes to the security of the Internet of things. California IoT Security Act SB-327 prohibits the use of default passwords on IoT devices and prevents the manufacturer from enabling the “factory reset” option. Each manufacturer of a device connected to the Internet must also establish “reasonable” security features that “protect the device and any information contained in it from unauthorized access, destruction, use, modification or disclosure”.
This bill has been criticized as not far enough; it will enter into force only after 2020. However, it was on its basis that US lawmakers discussed how to make IoT devices safer for consumers.
The idea is based on three safety principles proposed in UK law:
• Passwords used by IoT devices must be unique for each device, and users cannot reset them to the “default” password.
• IoT vendors should provide users with a public point of contact and publicly disclose any vulnerabilities discovered to them.
• IoT device manufacturers must also ensure that they keep their device’s security settings up to date.
It has also been suggested that the private sector jointly develop an IoT safety certification seal similar to Energy Star for energy-efficient products.
Should the Fed be involved?
Some minimal scheme similar to the one set forth is likely to receive public support among the part of the population that pays attention to cybersecurity issues, like similar proposals in the UK.
But first, there is a huge gap in knowledge between advanced and regular users when it comes to IoT devices or anything else. Consumers who take the time to create their own IoT networks, and those who read this article, are probably already using VPNs to encrypt their data. On the other hand, less advanced users often agree to release their data without even realizing what they are doing.
Another problem is that any legislation that the Fed adopts is likely to become obsolete by the time it enters into force. California’s rules are a good example: some companies are already exploring the possibility of using AI to protect IoT systems, and by 2020 (when these rules come into force), lawmakers will have another set of technologies to worry about.
In short, the IoT security debate is an example of a much broader issue: social and legal systems are simply not fast enough to keep up with the rapid spread and development of technologies like IoT.
In the end
All this suggests that we should not shy away from the Fed's proposals. If they take effect as they are currently offered, they will essentially award a “safety star” to companies that already follow responsible IoT security rules.
The source article emphasizes that the Federal Reserve should in no case be the main custodian of cybersecurity, whether on IoT devices or any other. The governance mechanism is too slow, and the knowledge of lawmakers is too small. Instead, users should be encouraged to take their own security seriously and protect their devices in the same way that they protect their homes.