Until recently the IoT landscape has been something of an unregulated Wild West. On March 11, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, was introduced by the United States Congress in a movement to change this. If passed, the bill means government agencies can only procure and use devices which adhere to a minimum set of security standards.
The bill does not extend to consumer and business use, but it does present the opportunity for regulations to be introduced in the future. Other bills designed to secure IoT use have been introduced to Congress in the past, but this one is slightly different as it is tactically less prescriptive and devolves much of the responsibility for fleshing out the regulation to the National Institute of Standard and Technology (NIST).
Regardless of the bill’s fate, it’s reassuring to see IoT regulation still on the agenda with continued recognition amongst policymakers, that the issue must be contained. IoT adoption is increasing, and we’re now seeing sharp, ‘hockey-stick’ growth in the volume of insecure devices.
Looking specifically at the UK, the challenge should not only be to follow the actions of the US – introducing regulatory measures to secure government use of IoT technology – but taking this one step further by expanding the regulations to include business and consumer IoT devices too.
Legal accountability
The Department for Digital, Culture, Media & Sport has already made progress in addressing IoT security risks by publishing the Secure by Design report in early 2018 and introducing a Code of Practice (CoP) for consumer IoT security. The CoP sets out practical steps for IoT manufacturers and the industry. It includes guidelines for the most important cyber security practices, ranked by criticality and importance. But unfortunately, it won’t prevent non-compliance and is likely only to be followed by the most diligent manufacturers and businesses. We should set a positive example by making some of the standards legally enforceable.
Does the UK need an IoT regulator?
Regulate all use
Presently, the CoP only provides advice and guidelines for consumer devices. This includes health watches, smart home appliances as well as toys and monitors for children. The potential compromise and misuse of these devices present a far more immediate and emotional threat to our security compared to business IoT use. It makes sense that the government would choose to address it first. And with good reason, we have seen plenty of examples of vulnerable children’s toys. There was the “smart toy bear” with a security flaw that enabled hackers to access sensitive information, and a talking dinosaur allowing voice, data and video traffic to be captured.
UK Government sets cyber security guidelines for millions of IoT devices
IoT is one of the fundamental technologies businesses are using for digital transformation efforts. Corporate networks are only as strong as their weakest links (did you hear the one about the casino that was hacked through a fish tank?) And it’s not just your own connected devices you need to be concerned about, as was highlighted recently in research from a US university.
Looking ahead, we’d like to see the CoP become legally enforced. We understand this is something the government is actively considering and has the backing of cyber security community.
Built-in safety
Our relationship with technology has moved on from allowing us to secure our own devices – like a desktop computer – by installing antivirus software or being careful about how we use it (such as the types of websites we visit or the links we click on).
We are now required to manage multiple IoT devices, but trying to log on and configure the security settings of a connected fridge, thermostat or watch to meet our own specific requirements is not usually possible. We must rely on the manufacturer to guarantee security. Legislation will ensure every IoT device complies by a set of minimum security standards.
More regulation, more solutions needed: IoT device breaches continue to put user data at risk
The Government’s Code of Practice is a good starting point for this change, as it already outlines many of the changes which need to be made.
A competitive advantage
We cannot allow the IoT Wild West to continue, but equally no industry wants to be restricted by unnecessary regulation. Could the implementation of these rules actually make the UK less competitive against those less regulated markets? We don’t think so. Device security is now of such critical importance that taking a leadership position will prove to be a differentiator for the UK market.
Ultimately, IoT is still in its infancy – actions to improve security now will be key to accelerating adoption.
Written by Peter Groucutt, managing director at Databarracks