IoT Regulation Could Save the Internet

  /     /     /  
Publicated : 22/11/2024   Category : security


IoT Regulation Could Save the Internet


Momentum may be building for meaningful (and useful) security regulations for the IoT.



The Internet of Things leads also to the Internet of Threats because, obviously, every device that has [connectivity to] the Internet built into it becomes subject to hacking; thats just the bottom line, said US Senator Edward Markey (D-Mass.) in a
Senate Subcommittee hearing last year
. If you dont deal with the threats, then all you are doing is ignoring the inevitable problems that are going to be created.
Markey is known for having IoT regulation as a pet issue -- particularly when it comes to automobile connectivity (he has dubbed modern cars computers on wheels). Four years ago, Markey and fellow US Senator Richard Blumenthal (D-Conn.) pressed automaker executives on the issue of cybersecurity in their vehicles. Since then, Markey has grown
fond of saying
, Thieves no longer need a crowbar to break into your car; they just need an iPhone.
Markey isnt far off the mark. Hackers have
time
and
again
demonstrated proofs of concept that cars can be hacked -- while being driven -- such that they can be completely controlled and cause massive damage to the car, to people in the car, and to others.
Other forms of IoT bear their own hackable forms of lurking danger, too. While cybersecurity pundits and government entities alike have voiced fears of the Internet of Things becoming an Internet of Murderables (See:
A Killer App
), the more realistic and common problems of IoT security are far more mundane yet still highly destructive -- such botnets
spreading ransomware
and perpetrating DDoS attacks. (See:
How Secure Are Your IoT Devices?
)
Indeed, Markey and other politicians have stretched their IoT interests beyond basic motor-vehicle and medical-device safety. At the start of 2015, the Federal Trade Commission (FTC) released a
report
on IoT data-protection issues based on a series of workshops the Commission had held in 2013. In it, the FTC --
already all powerful over nearly all things consumer protection in the United States
-- argued that it needed more technology-neutral legislation to act to regulate IoT data privacy. For all the good the FTCs technology-neutral power has done to protect consumer data privacy, consider
the current case of Uber and its data-breach cover up
-- which happened while the FTC was already looking over its shoulder subject to a 20-year consent order.
This is perhaps a key point in the cybersecurity regulation debate.
Without question
, Uber has earned its reputation as a data-protection bad guy. Some technologists feel that IoT cybersecurity laws and regulations will do more harm than good -- flogging the peasants instead of punishing the princes.
This is an area of intense debate, Chris Richter, senior vice president of Global Managed Security Services at CenturyLink, told Security Now. There is one school of thought that the federal government and foreign governments need to set IoT security standards and just make a policy -- and the other half says, No, you get government meddling in it and it will just increase cost, it will slow down commerce, and theyll do a poor job of implementing security controls for IoT.
On the pro-regulatory side, CTO of IBM Resilient and Cybersecurity Expert Bruce Schneier has
proposed
creating a new regulatory agency specifically governing the Internet and connected devices -- similar to how the Federal Aviation Administration (FAA) regulates aircraft and airspace - because the freewheeling and integrated nature of our new IoT world can be ambiguous when it comes to government oversight and jurisdiction.
Our world-size robot needs to be viewed as a single entity with millions of components interacting with each other. Any solutions here need to be holistic, argues Schneier. They need to work everywhere, for everything. Whether were talking about cars, drones, or phones, theyre all computers.
Richter, for his part, falls in the opposite camp when it comes to IoT regulation -- believing that industry can and should solve this problem itself, creating a sort of
Good Housekeeping
seal of approval for IoT cybersecurity. To this end, Richter argues that IoT cybersecurity can be sold as a feature -- even to consumers.
I think most people would pay a little bit more for a refrigerator that [they] knew wasnt hacking [their] home network, says Richter. Im not a consumer marketing expert, but… I would certainly pay more for that kind of assurance.
From there, Richter argues, the customers imagination may run wilder than the actual likelihood of damage.
Most consumers dont really understand how security works, but theyre thinking, Hey, if I dont buy the refrigerator that has the security seal of approval… is a hacker going to get into my [refrigerator] and then into my bank accounts? said Richter. Thats the leap that a lot of consumers will make -- [that] its going to get into everything.
Proponents of IoT security regulation, however, argue that the free market fails on this issue from a strategic-modeling standpoint -- even setting aside the extreme dystopian fantasies of zombie cars and sabotaged pacemakers.
The market cant fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks dont care. Their devices were cheap to buy, they still work, and they dont know any of the victims of the attacks. The sellers of those devices dont care: Theyre now selling newer and better models, and the original buyers only cared about price and features, argues Schneier. There is no market solution, because the insecurity is what economists call an externality: Its an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.
Richter disagrees, stating that IoT devices fundamental functionalities can indeed be hampered by even botnet malware. A smart appliance disrupted too badly by malware may stop functioning, claims Richter -- much the same way that an infected computer may slow down to the point of being nearly non-functional.
Moreover, hacked access to but one connected device on a network can lead to hacked access to other devices on a network. Thus,
an entire smart home may become hacked into via a single devices vulnerability
.
Meanwhile, on Capitol Hill, Markey has proposed a bit of baby-splitting. He and Congressional Representative Ted Lieu (D-Calif.-33) recently introduced bicameral
legislation
to create a voluntary cybersecurity certification program for all connected instruments sold in the US -- computers, phones, and IoT devices. Dubbed the Cyber Shield Act, the bill is something of a half-measure compromise between IoT regulationists and IoT free-marketers. If passed, the bill would direct the Secretary of Commerce to create a Cyber Shield Advisory Committee -- comprised of members from both the private and the public sector -- to advise on cybersecurity issues and best practices for IoT and other connected devices.
To this end, Markey and Lieus bill is to strengthening IoT security what the Digital Security Commission Act -- introduced nearly two years ago by Senator Mark Warner (D-Va.) and Rep. Mike McCaul (R-Tex.-10) -- was to
weakening
private-sector encryption. Some cybersecurity and privacy advocates opposed the McCaul-Warner bill,
criticizing
it as little more than a way to exert pressure on the InfoSec community into doing the governments anti-encryption bidding -- coming in the disguise of a collaborative compromise. (The McCaul-Warner bill apparently
died in subcommittee
about a month after it was introduced.)
The Markey-Lieu bill, however, shows signs of potentially being less about government coercion and more about actual voluntary standards setting. The legislations key feature is that the Cyber Shield Advisory Committee would also offer a Cyber Shield seal -- similar to the kind of seal Richter favors -- for device makers and sellers to put on devices that meet the Committees standards.
It remains to be seen how much support the bill gains -- let alone how effective it could actually be. It remains entirely possible, regardless of how things turn out with Markeys legislation, that the federal governments direct involvement is inevitable.
[IoT has] lot of different security requirements, and the effects of getting them wrong range from illegal surveillance to extortion by ransomware to mass death, observes Schneier. Governments will get involved, regardless. The risks are too great, and the stakes are too high. Government already regulates dangerous physical systems like cars and medical devices. And nothing motivates the US government like fear.
Related posts:
GPS Comes Under Spoofing Attack
A New BotNet Is Growing: Are You Already Part of Its Army?
Can the IoT Be More Secure?

Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
IoT Regulation Could Save the Internet