IoT regulation is coming, regardless of what Washington does
TORONTO—Too many connected devices still ship in a grossly insecure form, customers don’t seem to care, and Washington shows no sign of doing anything to bring order to the mess. But a group of security and privacy experts are declining to despair.
In a panel discussion I led at Access Now’s RightsCon conference here last week, computer scientist Bruce Schneier, former Ontario Privacy Commissioner Ann Cavoukian, Access U.S. policy manager Amie Stepanovich, and Atlantic Council cybersafety innovation fellow Beau Woods agreed that the state of Internet of Things security stinks—and that neither device manufacturers nor the federal government seem anxious to address it.
But they also see clear signs of progress from other actors that can compel action.
Privacy is the least of your problems
The traditional fear of connected baby monitors and security cameras is that poor protection means that you won’t be the only person observing your kid or your front porch. But when IoT devices go beyond monitoring their environment, affecting it, the threat model radically changes.
“Once you have computers touching the world, the risks are no longer about data,” Schneier said. “The risks are about life and property.”
The title of his upcoming book on IoT security phrases things a little more directly: Click Here to Kill Everybody.
READ MORE ON THE CONNECTED HOME
3 tips to secure your connected home
Your old router could be a hacking group’s APT pawn
Shut the front door: The state of the ‘smart’ lock
5 questions to ask before buying an IoT device
4 ways to protect your data when using Google Home and Amazon Echo
How to secure your home Wi-Fi
Woods, who has worked with the U.S. Food and Drug Administration on medical-device security, shared that assessment. “I’m positive that we’ve had dead patients because of hacks,” he said.
He and Schneier observed that the WannaCry ransomware infection hit so many health care systems in the United Kingdom that it amounted to a distributed denial-of-service attack on hospitals, which in turn had to turn away ambulances. A DDoS attack launched from hacked IoT devices like 2016’s Mirai botnet could be even more damaging.
Stepanovich noted that Internet-connected sex toys have suffered from poor security and suggested a scenario out of a particularly dark sci-fi novel: “In a world of IoT, the term ‘virtual rape’ takes on very visceral, meaningful connotations.”
The market is not helping
Customers are not clamoring for insecure devices, but they’re also ignoring the commandment Cavoukian offered at the panel: “Do not bring connected devices into your home.” And many remain content to shop on price alone.
“The market doesn’t care,” Schneier said. “Because at the purchase decision, the buyer doesn’t care, and the seller knows that.”
Cavoukian suggested quizzing store clerks about device security and escalating your queries to the manager, if necessary. But while that approach might raise retailer consciousness, it seems less likely to convert a shopping trip into an informed purchase.
Even professionals can fail to contemplate the risks of using a hacked device. Woods cited studies with doctors who were handed hacked devices that led to the deaths of simulated patients. Each time, he said, the physicians didn’t even think of that possibility.
“The responses to the hack were, there was nothing wrong,” he said.
And because so many IoT devices have little or no user interface, detecting and diagnosing an exploit can be impossible.
“A lot of the times, those devices don’t have any availability to capture data about whether they’ve been tampered with or not,” Woods said.
Washington isn’t helping, either
In other areas, national regulation has driven continuous improvements in safety. The National Transportation Safety Board, for example, has helped make commercial aviation the safest way to travel. All the panelists said Washington needs to play the same role in IoT security.
“Without government intervention, the market does not solve these problems,” Schneier said, renewing his past calls for federal regulation.
“We absolutely need regulation in this area, because we need to create a floor of security,” Stepanovich said.
But none of them expect Congress, which has spent years failing to complete tasks as basic as passing uniform data breach notification legislation, to step up on this front. For example, the Cyber Shield Act, which Rep. Ted Lieu (D.-Calif.) and Sen. Ed Markey (D.-Mass.) introduced last year to establish security standards, has yet to advance out of committee in the House and the Senate.
The one possible exception: The nightmare, mass casualty scenario Schneier raised—”you’ll know when the big thing happens: when lots people die”—spooks Congress into rushing to pass a bill potentially as poorly drafted and deeply flawed as the Computer Fraud and Abuse Act.
“The law that goes into place at that point is going to be too overbroad,” Stepanovich warned.
Here’s who can help
The legislative branch isn’t the only actor that can force progress. Woods pointed to increasing pressure on medical-device manufacturers from the Food and Drug Administration, health insurers, and large health care organizations.
“The FDA has started more closely scrutinizing things,” he said. “The Mayo Clinic has started requiring something called a software bill of materials, as well as evidence of different types of security testing.”
Woods also participates in a volunteer effort called I Am the Cavalry to craft best-practices standards, and it is making some progress. In 2016, for example, the group put out a five-star list of security principles for automakers. Although none comply with all five, “a lot of companies are starting to hit multiples of them,” he said.
The National Institute for Standards and Technology has launched its own IoT security program, and the Federal Trade Commission, which has a full slate of five commissioners for the first time in years, has begun to be more aggressive in its enforcement actions.
Outside efforts to equip consumers with more security information are also gearing up. Underwriters Laboratories is developing cybersecurity labels, and the Consumer Reports-led “Digital Standard” effort has already revealed vulnerabilities in Samsung- and Roku-connected TVs.
IoT platform vendors can set valuable norms too. Google’s new Android Things platform will give manufacturers a locked-down system, with three years of guaranteed software updates. Microsoft’s Linux-based Azure Sphere platform comes with a pledge of 10 years of updates.
States can also pass their own laws, and bring their own enforcement actions. Schneier called California, Massachusetts, and New York especially aggressive in pursuing company accountability. But the most powerful influence may come from the European Union—”the regulatory superpower on the planet,” as Schneier put it.
The EU’s General Data Protection Regulation, going into effect May 25, imposes sweeping privacy rules on companies doing business there. “That is going to be a game changer,” Cavoukian said. Stepanovich complimented the GDPR’s focus on risk to the user and its data breach disclosure requirements.
“They’re going to tackle security next,” Schneier predicted. And when it’s easier for companies to make one product than two, such an effort should benefit U.S. customers too: “That’s my hope—that there will be a strong rising tide—because you write once and sell everywhere.”