Can legislation save IoT security?
Introduction: The state of IoT security
As noted in a Gemalto report on the State of IoT Security, it was found that almost half of companies couldn’t tell if their IoT devices had been hacked. The statistics on cybersecurity threats and incidents with IoT in the chain at some point makes depressing reading.
And it’s not like we haven’t had plenty of time to get our ducks in a row. The modern concept of the IoT has been in the mass marketplace for at least six years. The idea of a connected device goes back to at least 1999, when Electrolux announced the Screenfridge, an “Internet refrigerator.”
One thing that jumps out of the Gemalto report is that over three-quarters of organizations want governments to wade in with legislation on IoT security.
To this end, governments are beginning to wake up and connect the Internet dots. Legislation is afoot. Here, we look at two recent exercises in legislating for IoT security.
The UK and IoT security
Ofcom, a UK industry watchdog, performed a study in 2018 into the Internet-connected habits of UK residents. They found that 42 percent of households had a smart TV and 20 percent used IoT wearables. However, the UK industry body techUK showed a dark cloud forming over the IoT marketplace in the UK. TechUK’s consumer survey showed that cybersecurity and privacy concerns related to IoT devices were stifling IoT device purchase decisions.
The UK government has responded with the “Department for Digital, Culture, Media & Sport” (DDCMS), releasing a consultation paper for IoT security legislation on May 1st. Prior to the paper, the DDCMS and the National Cyber Security Centre (NCSC) created a Code of Practice for Consumer IoT Security. The practice guidelines set out a list of 13 best practices in IoT security. The audience for the paper was anyone involved in the manufacture and sales of IoT devices.
This best practice guide has been instrumental in forming the basis for the consultation paper. This paper will ultimately lead to legislation on IoT security.
The Code of Practice for Consumer IoT Security
The code of practice is a voluntary set of guidelines with the remit of facilitating security by design in the world of connected devices. Some big names have already signed up to the tenets it sets out, including Centrica and Hewlett-Packard. The guide will be updated every two years, which is important, since both technology on the cutting edge of innovation and the cybersecurity threatscape have a tendency to change.
The 13 principles behind the guidelines cover the well-known issues in IoT security today. Four examples from the list include:
- No Default password: The Mirai botnet that took down large portions of the Internet is the perfect poster child for what happens when IoT devices have default and easily guessable passwords set
- Implement a vulnerability disclosure policy: Having a policy to report vulnerabilities shares security intelligence and makes it easier to fix issues
- Minimize exposed attack surfaces: Applying the principle of least privilege is a sensible guideline for us all, not just IoT devices
- Ensure that personal data is protected: A general guideline in line with GDPR
The consultation on regulatory proposals on consumer IoT security
The consultation paper takes these best practice guidelines as a foundation for legislation. The paper has been released to any organization or individual with an interest in IoT devices, including manufacturers, retailers, mobile app developers, consumers and academics. The consultation paper explicitly states that they wish to ensure “Strong cyber security is built into these products by design.”
The paper has three mandatory requirements:
- All IoT device passwords shall be unique and shall not be resettable to any universal factory default value
- The manufacturer shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues
- Manufacturers will explicitly state the minimum length of time for which the product will receive security updates
The consultation looks at using a labeling system to show that manufacturers comply with the regulations. This is hoped to add transparency to the manufacturer/consumer relationship.
This legislation is specifically aimed at consumer IoT devices. That includes devices such as toys, smart TVs, wearables and smart home assistants, among others. The consultation end date is June 5th, 2019.
Senate Bill 357 and Assembly Bill No. 1906
California is raising the bar yet again in terms of security and privacy with two bills, 357 and 1906. California Governor Jerry Brown approved both bills, which will come into law on January 1st, 2020. The bills, aimed at connected device manufacturers, spell out that “reasonable security feature or features” must be used in the devices.
The bills contains multiple security requirements. However, there are some weaknesses in those requirements. For example:
- Each IoT device must have a unique password. This is great, but there is no mandate for ensuring robust passwords are used. Users have a tendency to not change the default password. Easy-to-guess passwords are as bad as default passwords.
- “The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.” This also leaves some issues around mandating robustness of passwords
An exception to the California law
The law covers all IoT devices, but it has this exception — it does not include “unaffiliated third-party software or applications that a user chooses to add to a connected device.” The law will only apply directly to manufacturers. If a company rebrands a device, it may not be covered.
International IoT security standard
Standards can help inform legislation. In February 2018, the first globally applicable industry standard for IoT was announced by the European Telecommunications Standards Institute (ETSI). Their paper, Cyber Security for Consumer Internet of Things, is built on the work done in the UK Code of Practice for Consumer IoT Security.
Legislation or IoT bust?
According to IHS, there will be 75 billion IoT devices kicking around this planet by 2025. This makes the mobile device market seem pretty lean. We spend a lot of time discussing mobile device security, so we should extend this to make sure IoT device security has the same focus. We must get behind this tsunami of endpoints, not just with methods to prevent cyberattacks but with legislation too.
Cybersecurity is an ongoing battle for all of us — individuals, SMBs and enterprises. Having guidelines that can inform cybersecurity mandates sets out best practice and helps to mitigate the worst of cyberthreats. Turning those guidelines into legislation is essential to then have enforcement strategies that will bring manufacturers into line with modern cybersecurity threat mitigation.
However, there needs to be a more global approach. IoT is a global technology. It is also an innovative technology that will pull economies along with it. Legislation on cybersecurity threats in global technology applications needs to be globally embraced through legislation across the board.
- IoT device breaches undetectable by nearly half of companies, Gemalto
- Folasade Osisanwo, Shade Kuyoro, and Oludele Awodele. “Internet Refrigerator – A typical Internet of Things (IoT),” 3rd International Conference on Advances in Engineering Sciences & Applied Mathematics
- The Communications Market 2018, Ofcom
- Connected home device ownership up but consumers remain sceptical, techUK
- Consultation on regulatory proposals on consumer IoT security, gov.uk
- Code of Practice for Consumer IoT Security, gov.uk
- Senate Bill No. 327, California Legislative Information
- Assembly Bill No. 1906, California Legislative Information
- Cyber Security for Consumer Internet of Things, ETSI
- IoT Platforms: Enabling the Internet of Things, IHS Markit