Manage Learn to apply best practices and optimize your operations.

Regulation for IoT security and data privacy

Software development programs that implement the internet of things today have to include measures to protect privacy and strengthen security as data becomes more and more accessible via the internet and connected devices. When it comes to IoT privacy, courts have to resort to the U.K. Consumer Protection Act 1987, ad and anti-surveillance laws established to counter the inferior security practices of manufacturers. The legislation simply has not been able to keep up with technology innovation, and thus, cases are being bent to fit current existing laws.

The internet of things is a greatly increasing information tech unit that’s expected to reach 20 to 50 billion internet-connected devices by 2020. It promises to simplify a lot of aspects of peoples’ lives. It would also permeate each aspect of life, which has plenty of experts concerned. To deal with the risks of connected devices, proper regulations and consequences for failing to adhere to regulations is critical.

Regulation on privacy and security

The Federal Network Agency recently banned the internet-connected doll “My Friend Cayla” successfully in Germany, where telecoms mandates prohibit concealed devices transmission, a law that was brought in abusive surveillance by Nazi Germany and East Germany. This case illustrates that it is not possible to issue a blanket sale ban. Self-regulation when it comes to custom software development in IoT clearly has not worked, thus governments are beginning to take action. In the meantime, the Federal Trade Commission has its work cut out taking IoT device makers to task, suing manufacturers including D-Link Corporation, TrendNET, ASUS and Revolv. ASUS agreed on an understanding that it would provide product support for a 20-year minimum. In the D-Link case, the FTC had to resort to questioning claims on the company’s website, making it a dispute over advertising rhetoric.

It is clear that authorities need IoT-centric legislation. The FTC championed the consumer cause in the court and created guidelines for IoT security and privacy protection in 2015. During that time, it stopped short of calling for regulation, saying it would be “premature” since the consensus in general was that self-regulation would do better and would avoid stopping the development of a nascent industry.

The Cybersecurity Improvement Act of 2017

The Internet of Things Cybersecurity Improvement Act of 2017 is a U.S. Senate bill that lays ground rules for IoT device security. While the legislation only applies to government agency affiliates and suppliers, it could help establish a benchmark for device manufacturing that would influence commercial production.

The bill states that IoT devices should:

  • Not have software, hardware or firmware vulnerabilities listed in the NIST vulnerability database
  • Not use hardcoded or fixed credentials for remote administration, communication or updates
  • Not use deprecated networks or encryption protocols
  • Be able to receive trusted and authenticated software updates from manufacturers
  • Have future update support and provide timely repair for new-found vulnerabilities
  • Disclose new found vulnerabilities to consumers

The importance of IoT regulations

The internet of things requires the right regulations to keep enterprises and consumers safe without the need to stifle innovation. There are sensible steps that manufacturers, regulators and end users should take, which could spell the difference between success and cyber-annihilation. The move towards regulation could still be thwarted by opposing user ownership movements. The Right to Repair bill draft aims to extend longevity of a product by enabling them to be more easily repaired and even repaired by users, making it far more difficult to secure firmware, with obfuscation and tamperproof techniques seen as obstacles to effective repair.

Common sense steps to protect consumers

IoT should be lightly regulated as a heavy-handed approach could stifle innovation as well as limit options for the numerous small companies that simply do not have the resources to answer to endless data calls. The following are common-sense steps that regulators could take to protect the consumers while maintaining a light touch:

  1. Prioritize investigations based on the number of victims and the severity of the impact.
  2. Regulators should report efforts on a regular basis to minimize cost when responding to regulator queries.
  3. Structure investigations for automation with industry-standard queries for cybersecurity controls.
  4. Have regulators provide testing scripts and sample investigate questions on their sites to encourage more automation.
  5. Expedite reviews through federal courts.
  6. Provide guidance based on IoT use instances for sector-centered industries, which include the necessary controls.
  7. Have regulators offer concise and clear safe-harbor options, which impose a higher burden on the regulators.
  8. Regulations should incorporate the supply chain for accountability.
  9. Regulators should provide breach investigation information wherein companies discovered to behave reasonably had no enforcement action taken.
  10. Regulators should harmonize their cybersecurity guidance across all agencies that regulate the same practices.

Even in the unlikely event that the recommendations are adopted, IoT integrators, manufacturers and end users may have to alter their practices as well as tighten cybersecurity and privacy controls for products. The IoT industry is now mature enough to benefit from regulation.

When it comes to IoT regulation, it is important to globally accept that security in connected devices is as important as functionality. Culturally, the world needs developers, manufacturers and installers to thoroughly and completely understand — as well as appreciate — the need for good security and the skills to provide good security. At present, the internet of things is driven by a desire to innovate on the developers’ part and functional need on behalf of buyers. IoT technology is hard to manage if not properly regulated. If businesses adhere to regulations and standards, it could ensure reliable services in the cybersecurity field.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.