The internet of things is quickly becoming the next frontier of technological innovation for consumers, businesses, industry and governments. Gartner predicts that by 2020, IoT technology will be in 95% of electronics for new product design. However, the same Gartner study that published the former prediction also suggests that “through 2022, half of all security budgets for IoT will go to fault remediation, recalls and safety features rather than protection.” That’s a big “but” for those who embrace the benefits of IoT, which are many, begging the question: Why aren’t governments and regulative authorities doing anything about it?
With Bruce Schneier, CTO of IBM Resilient, stating, “You can’t talk about regulation versus no regulation — that ship has sailed. Now it’s about smart or stupid regulation,” at the RSA Security Conference in February, it’s time to get the ball rolling. But what’s already being done?
The truth is, not much.
The U.S. Senate introduced a bipartisan bill this August calling for minimum security requirements for IoT devices used by the federal government, though its recommendations are very general, not to mention limited in scope. According to the proposed bill, vendors will be required to ensure that their devices are patchable, rely on industry standard protocols, do not use hardcoded passwords and do not contain vulnerabilities. While the senators introducing the bill expressed their concerns about the lack of security for IoT devices, little is being done by regulatory authorities to address commercial and consumer applications of the technology.
Some of the first vestiges of regulatory policy are now being drafted in the EU, as IoT security and privacy relates to GDPR compliance initiatives, and in the U.S., though currently the only state that seems concerned about the impact of emerging technologies is California. In the latter case, the State of California Senate drafted Bill 327, not yet ratified, asks for built-in security features from connected device manufacturers. It also would require manufacturers to “equip devices with reasonable security features,” “design the device to let the consumer know when information is being collected,” and require direct notifications to consumers of relevant security patches and updates.