”Inside Privacy” did a roundup in May last year of some legislative initiatives on IoT security and privacy summarizing five draft bills in the U.S. that approach IoT from different perspectives—including seeking to develop IoT technologies, imposing contractual requirements on companies that provide IoT devices to the government, regulating specific security standards, and creating new resources for consumers to better understand the security and reliability of their IoT devices.
As we plan to take advantage of the IoT, we also need to keep an eye on current and future laws and regulations that might have an impact on IoT solutions over and above more general data privacy frameworks.
Here’s the current state of the five initiatives listed last year:
Developing Innovation and Growing the Internet of Things (“DIGIT”) Act: Passed by Senate, committee stage in House of Representatives
Internet of Things Cybersecurity Improvement Act of 2017: Committee stage in both houses
Securing the IoT Act of 2017: Committee stage in both houses
Cyber Shield Act of 2017: Committee stage in both house
The IOT Consumer Tips to Improve Personal Security Act of 2017: Committee stage in the Senate, not yet introduced to the House
So, does this mean that we shouldn’t consider them in our forward planning?
Definitely not! There are many calls on time for legislative assemblies, and there is inevitably prioritization of that time together with plenty of global examples of what happens when lawmaking is rushed, leading to laws that are poorly drafted and difficult to put into effect.
From a strategic perspective, it’s useful to keep an eye on legal and regulatory developments that might affect our industry and our customers so that we can stay ahead of developing requirements.
Lawmakers are starting to take notice of the IoT after a succession of vulnerabilities (remote activation of microphones and cameras in children’s toys, easily compromised ”security” solutions), and proposing measures that are, when looked at in the cold light of day, based on common sense such as these proposed mandatory clauses for procurement of devices by government agencies in the Internet of Things Cybersecurity Improvement Act of 2017:
- The contractor (the entity selling the IoT device) provide written certification that:
- The device does not contain any known security vulnerabilities or defects that are listed in the NIST database of vulnerabilities or other such national databases.
- All components are capable of being updated securely from the vendor.
- Uses only industry standard protocols and technologies.
- Does not include any fixed or hardcoded credentials used for remote administration, delivery of updates, or communication.
- That the contractor will notify the purchasing agency of any known security vulnerabilities or defects subsequently disclosed to the vendor by a security researcher or of which the vendor otherwise becomes aware for the duration of the contract.
- Software or firmware components updated or replaced, consistent with other provisions of the contract, in order to fix or remove a vulnerability or defect in the component in a properly authenticated and secure manner.
- A contractor requirement to provide repair or replacement in a timely manner in respect to any new security vulnerability discovered through any of the “national databases”, or from the coordinated disclosure program.
- A contractor requirement to provide the purchasing agency with information on the ability of the device to be updated, such as:
- The manner in which the device receives security updates.
- The anticipated timeline for ending security support.
- The formal notification when security support has ceased.
- Any additional information recommended by the NTIA.
None of these sound unreasonable, or beyond the realms of common sense for government procurement, and ought to lead to a ”trickle down” effect in the market as vendors making ”government agency compliant” devices seek to make an additional return on investment by offering the same specification to a wider customer base.
Regardless of the pace of legislation, in both our work and personal lives we need to pay attention – with Gartner estimating 20.4 billion IoT devices by 2020 the scale of the potential problem is growing.
Gartner also predicted (as of January 2017) that spend on IoT devices would treble between 2016 and 2020 from just over 1 trillion dollars to just under 3 trillion:
Clearly, action needs to be taken sooner rather than later whilst the scale of the problem remains anywhere near manageable.
In the meantime, security company McAfee has advice on securing Routers, Gaming Systems and Voice Interfaces here.
In the commercial world, the NIST draft internal report for IoT Cybersecurity and Privacy should also be on your reading list, along with Gartner’s ”Leading the IOT” ebook which looks at IoT initiatives from a leadership point of view.