The Internet of Things (IoT) is a lot like the Wild West. Considerable disruption and innovation occur with little meaningful oversight to maintain order. There’s a new sheriff in town, though…by which I mean lawmakers imposing regulation on the IoT space.
The tide of regulation began with California, who instituted a new law called SB-327 back in 2018 that requires manufacturers to equip IoT devices with “reasonable” security features. Now, all IoT devices sold in the state—and by extension, the rest of the US—must either come with a strong, unique password or force users to create one. No generic default passwords are allowed.
Similar legislation is now in place in the UK as well, intending to make IoT devices “secure by design.” However, the question remains: can regulation on its own effectively secure IoT devices?
Is This the Right Approach?
Opinions are mixed in the industry regarding the idea of imposing security standards for IoT devices via regulation. Some argue this is the role the government should play in addressing IoT challenges. To others, this is exactly the opposite of the right approach: demanding ultimately ineffective solutions while leaving genuine vulnerabilities unaddressed.
One avenue of intervention currently being explored by the UK government is a mandatory new labeling scheme. This label—visible to consumers before purchase—would outline the capabilities of IoT devices and explain just how “smart” the device may be. This labeling scheme constitutes a kind of informed consent. Consumers are cognizant of what data they’re sharing and any potential vulnerabilities of that data before they ever plug in the device.
The focus of the UK label is to mandate the three primary security requirements laid out in the current “secure by design” code of practice. These principles state that consumers should have the following:
- Unique passwords that can’t be reset to a factory setting.
- Access to a point of contact.
- Foreknowledge of the period through which manufacturers will provide security updates.
State oversight into IoT devices could slow down processes and hamper innovation. That said, the practices outlined by the UK government are sound ideas on their own. Perhaps by adhering closely to these principles, IoT device manufacturers can supplant the need for broader oversight.
Adopting a Vulnerability Disclosure Policy
The industry can outpace the need for external regulation by attending to best practices. To accomplish this, manufacturers and industries must hold themselves directly responsible.
Providing the necessary level of protection calls for the development of vulnerability disclosure policies, or VDPs. Government bodies as varied as the US Department of Defense and the National Highway Traffic Safety Administration have weighed-in on what a VDP should entail, but the basic idea is that the policy answers five key questions:
- Can you commit to protecting customers and stakeholders?
- What is the scope of the protection you offer?
- Will you protect those who report security vulnerabilities and breaches?
- What process do you use to report vulnerabilities?
- What priorities will you have when evaluating reports?
Developing a VDP isn’t an admission of guilt, weakness, or lack of faith in one’s products. It’s simply an acknowledgment that no technology is perfect. Industry stakeholders need to develop a VDP to report identified and potential vulnerabilities in-line with the three principles of strong customer authentication, open communication, and regular updates.
Make Consumer Education a Priority
Widespread adoption of vulnerability disclosure policies is important. That said, consumer education needs to be a top priority as well.
We need to expand the conversation surrounding digital security in general. It’s especially vital as it relates to IoT technologies, given how intimately connected many of these tools are in peoples’ day-to-day lives. Increasing security on the individual level is the only really effective way to curtail the impact of data breaches and fraud activity.
We should expand consumer awareness of security best practices as they relate specifically to smart devices, including the following:
- Using strong encryption on home WiFi connections.
- Establishing guest connections for visitors that remain separate from one’s personal network.
- Updating usernames and passwords regularly, and using strong, hard-to-guess passwords.
- Checking default security settings for all devices added to the network and adjusting as necessary.
- Installing regular software updates, but only those provided by the manufacturer.
Legislation is one way to ensure compliance with basic security standards, but it doesn’t have to be the only solution. Through strong security and support on the manufacturer end, and better understanding of IoT devices among consumers, we can effectively supersede the need for lawmakers to step in.