We need stronger cybersecurity laws for the Internet of Things

Due to ever-evolving technological advances, manufacturers are connecting consumer goods -- from toys to lig...

Posted: Nov 11, 2018 4:22 PM
Updated: Nov 11, 2018 4:22 PM

Due to ever-evolving technological advances, manufacturers are connecting consumer goods -- from toys to lightbulbs to major appliances -- to the internet at breakneck speeds. This is the Internet of Things, and it's a security nightmare.

The Internet of Things fuses products with communications technology to make daily life more effortless. Think Amazon's Alexa, which not only answers questions and plays music but allows you to control your home's lights and thermostat. Or the current generation of implanted pacemakers, which can both receive commands and send information to doctors over the internet.

Automakers and manufacturing

Automotive industry

Business and industry sectors

Business, economy and trade

California

Computer science and information technology

Continents and regions

Digital privacy

Digital security

Internet and WWW

Internet of Things

North America

Software and applications

Southwestern United States

Technology

The Americas

United States

Communications law and policy

Computer and internet law

Law and legal system

Telecommunications industry

But like nearly all innovation, there are risks involved. And for products borne out of the Internet of Things, this means the risk of having personal information stolen or devices being overtaken and controlled remotely. For devices that affect the world in a direct physical manner -- cars, pacemakers, thermostats -- the risks include loss of life and property.

By developing more advanced security features and building them into these products, hacks can be avoided. The problem is that there is no monetary incentive for companies to invest in the cybersecurity measures needed to keep their products secure. Consumers will buy products without proper security features, unaware that their information is vulnerable. And current liability laws make it hard to hold companies accountable for shoddy software security.

It falls upon lawmakers to create laws that protect consumers. While the US government is largely absent in this area of consumer protection, the state of California has recently stepped in and started regulating the Internet of Things, or "IoT" devices sold in the state -- and the effects will soon be felt worldwide.

California's new SB 327 law, which will take effect in January 2020, requires all "connected devices" to have a "reasonable security feature." The good news is that the term "connected devices" is broadly defined to include just about everything connected to the internet. The not-so-good news is that "reasonable security" remains defined such that companies trying to avoid compliance can argue that the law is unenforceable.

The legislation requires that security features must be able to protect the device and the information on it from a variety of threats and be appropriate to both the nature of the device and the information it collects. California's attorney general will interpret the law and define the specifics, which will surely be the subject of much lobbying by tech companies.

There's just one specific in the law that's not subject to the attorney general's interpretation: Default passwords are not allowed. his is a good thing; they are a terrible security practice. But it's just one of dozens of awful "security" measures commonly found in IoT devices.

This law is not a panacea. But we have to start somewhere, and it is a start.

Though the legislation covers only the state of California, its effects will reach much further. All of us -- in the United States or elsewhere -- are likely to benefit because of the way software is written and sold.

Automobile manufacturers sell their cars worldwide, but they are customized for local markets. The car you buy in the United States is different from the same model sold in Mexico, because the local environmental laws are not the same and manufacturers optimize engines based on where the product will be sold. The economics of building and selling automobiles easily allows for this differentiation.

But software is different. Once California forces minimum security standards on IoT devices, manufacturers will have to rewrite their software to comply. At that point, it won't make sense to have two versions: one for California and another for everywhere else. It's much easier to maintain the single, more secure version and sell it everywhere.

The European General Data Protection Regulation (GDPR), which implemented the annoying warnings and agreements that pop up on websites, is another example of a law that extends well beyond physical borders. You might have noticed an increase in websites that force you to acknowledge you've read and agreed to the website's privacy policies. This is because it is tricky to differentiate between users who are subject to the protections of the GDPR -- people physically in the European Union, and EU citizens wherever they are -- and those who are not. It's easier to extend the protection to everyone.

Once this kind of sorting is possible, companies will, in all likelihood, return to their profitable surveillance capitalism practices on those who are still fair game. Surveillance is still the primary business model of the internet, and companies want to spy on us and our activities as much as they can so they can sell us more things and monetize what they know about our behavior.

Insecurity is profitable only if you can get away with it worldwide. Once you can't, you might as well make a virtue out of necessity. So, everyone will benefit from the California regulation, as they would from similar security regulations enacted in any market around the world large enough to matter, just like everyone will benefit from the portion of GDPR compliance that involves data security.

Most importantly, laws like these spur innovations in cybersecurity. Right now, we have a market failure. Because the courts have traditionally not held software manufacturers liable for vulnerabilities, and because consumers don't have the expertise to differentiate between a secure product and an insecure one, manufacturers have prioritized low prices, getting devices out on the market quickly and additional features over security.

But once a government steps in and imposes more stringent security regulations, companies have an incentive to meet those standards as quickly, cheaply and effectively as possible. This means more security innovation, because now there's a market for new ideas and new products. We've seen this pattern again and again in safety and security engineering, and we'll see it with the Internet of Things as well.

IoT devices are more dangerous than our traditional computers because they sense the world around us, and affect that world in a direct physical manner. Increasing the cybersecurity of these devices is paramount, and it's heartening to see both individual states and the European Union step in where the US federal government is abdicating responsibility. But we need more, and soon.

Terre Haute
Overcast
55° wxIcon
Hi: 67° Lo: 45°
Feels Like: 55°
Robinson
Overcast
55° wxIcon
Hi: 66° Lo: 42°
Feels Like: 55°
Indianapolis
Overcast
56° wxIcon
Hi: 60° Lo: 45°
Feels Like: 56°
Rockville
Overcast
52° wxIcon
Hi: 65° Lo: 44°
Feels Like: 52°
Casey
Overcast
55° wxIcon
Hi: 66° Lo: 43°
Feels Like: 55°
Brazil
Overcast
55° wxIcon
Hi: 65° Lo: 45°
Feels Like: 55°
Marshall
Overcast
55° wxIcon
Hi: 66° Lo: 43°
Feels Like: 55°
Showers Today!
WTHI Planner
WTHI Temps
WTHI Radar

Latest Video

Image

Support group aims to prevent suicide among first responders

Image

Monday: Showers, cooler. High: 64

Image

Sunday Evening Forecast

Image

Woman remembers national hero

Image

Terre Haute Symphony Orchestra Concert

Image

Athletes clean up Wabashiki

Image

High speed police chase ends in Vermillion county with gunfire

Image

Farms open for Fall season

Image

Annual Fall-out Ride

Image

'Cruisin' for Cruisers' car show

WTHI Events

 

Illinois Coronavirus Cases

(Widget updates once daily at 7 p.m. CT)

Confirmed Cases: 290373

Reported Deaths: 8845
CountyConfirmedDeaths
Cook1436345210
DuPage17471561
Lake16892487
Will13984378
Kane13092326
St. Clair6607190
Winnebago5959149
Madison5698136
Champaign470320
McHenry4581118
Peoria349450
McLean327923
Rock Island299576
Kankakee274177
Unassigned2537244
Sangamon241145
Kendall200925
Tazewell177425
LaSalle171257
DeKalb157938
Macon154444
Coles146430
Williamson140145
Jackson126124
Clinton116920
Boone112523
Adams112310
Randolph93911
Effingham8702
Vermilion7704
Whiteside74320
Ogle7106
Monroe67416
Knox6703
Grundy6695
Henry6665
Morgan66123
Bureau64111
Jefferson61138
Marion5540
Macoupin5447
Christian53911
Franklin5393
Stephenson5236
Union51524
McDonough48015
Logan4641
Crawford4503
Woodford4246
Fayette4183
Cass39811
Livingston3956
Jersey39215
Shelby3904
Montgomery37213
Lee3711
Iroquois36519
Perry35015
Saline3404
Warren3322
Bond3285
Douglas3127
Wayne2805
Jo Daviess2632
Lawrence2562
Carroll2305
Greene22711
Cumberland2175
Hancock2173
Moultrie2143
Jasper2119
Washington2111
Richland2095
Pulaski1801
Fulton1760
Clark1732
White1680
Johnson1560
Clay1540
Wabash1543
Mason1471
Piatt1400
Mercer1395
Pike1281
Menard1251
De Witt1221
Edgar1138
Massac1122
Ford1065
Marshall1040
Alexander811
Scott780
Gallatin732
Hamilton682
Henderson660
Edwards630
Brown610
Calhoun600
Putnam570
Stark552
Schuyler500
Hardin400
Pope291
Out of IL20

Indiana Coronavirus Cases

(Widget updates once daily at 8 p.m. ET)

Confirmed Cases: 117450

Reported Deaths: 3580
CountyConfirmedDeaths
Marion21403766
Lake10618323
Elkhart6667111
St. Joseph6576110
Allen6292203
Hamilton4909109
Vanderburgh371931
Hendricks2747123
Monroe262736
Tippecanoe252313
Johnson2338124
Clark223657
Porter217647
Delaware198562
Cass19549
Vigo184327
Madison168975
LaPorte147441
Floyd138963
Warrick134440
Howard131863
Kosciusko124817
Bartholomew117957
Marshall101224
Dubois99119
Boone98646
Grant93334
Hancock93243
Noble92532
Henry80926
Jackson7689
Wayne76814
Morgan72938
Daviess67728
Shelby67729
Dearborn66528
LaGrange63911
Clinton60914
Harrison58724
Putnam58112
Gibson5305
Knox5259
Lawrence51529
Montgomery51121
DeKalb48711
White48614
Decatur45839
Miami4383
Greene42735
Fayette42313
Jasper3992
Steuben3877
Scott38111
Posey3400
Sullivan33812
Jennings31612
Franklin31125
Ripley3038
Clay3025
Orange28824
Whitley2796
Carroll27713
Adams2743
Wabash2718
Washington2691
Starke2677
Wells2654
Spencer2593
Jefferson2483
Huntington2453
Fulton2412
Tipton22822
Perry22113
Randolph2207
Jay1880
Newton17311
Owen1711
Martin1680
Pike1621
Rush1574
Vermillion1300
Fountain1282
Blackford1203
Pulaski1131
Crawford1080
Brown1043
Parke1032
Benton870
Ohio797
Union790
Switzerland690
Warren401
Unassigned0226