Security professionals encourage Internet of Things (IoT) regulation
US regulators remain to be convinced
Parties in the debate accused of squabbling
Dutch MPs press the EU to regulate the 'Internet Of S**t'
Sources: SC Media; CIO; Constellation Research; Sputnik News
Summary: Recent denial of service attacks from IoT devices sparked discussion as to the need for specific regulation. Proponents argue the economics of IoT mean there is no incentive to fix the issue. While self regulation and test marks can help, long term additional regulation seems likely.
Point of View
Bruce Schneier, Fellow at Harvard University, and other professionals argue that the economics of IoT devices for both manufacturers and consumers mean that there is no incentive for solutions to the recent security breaches to be brought to market. As critical infrastructure becomes more interconnected, the potential impact becomes more severe. Senator Walden, chairman of the Subcommittee on Communications and Technology, is not convinced stating that “The United States cannot regulate the world”. Schneier’s response is that by setting a standard, others will follow.
Some American lawyers also argue against more regulation, suggesting that it’s the service provider of the device that is liable to ensure it meets the user’s requirements. They caution that specific regulation may hold back an emerging sector. In the context of providers of specific services, such as automobiles and healthcare, there may be a relatively clear path to the provider (although not necessarily if the device relies on data from other providers). For consumer devices, where the security flaw may enable a denial of service attack on a third party, for example, then identification of the liable service provider seems less clear. The argument presented suggests that this is best tested in court.
In the EU, the impact of networked IoT devices has the potential to be addressed by regulations for data privacy and cyber security. Both the General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive were adopted by the EU in early summer 2016 and come into force at national level in two years. The NIS directive requires essential and internet exchange services (such as search, cloud providers and marketplaces) to be secure and, therefore, does not necessarily include consumer devices. It is debatable as to whether this addresses the issues raised above. As the Directive is still to be transposed into national law, the scope may extend.
Differing opinions between security professionals and regulators suggest specific regulation for IoT is still some way off in the US. In the EU countries, new regulations arrive in two years which cover essential internet services (including banking). So, as things stand, service providers using IoT devices are likely to be liable for specific circumstances, rather than manufacturers being compelled to meet specific standards. Whether liability extends into the consumer sector may depend on the ongoing effects of security issues.
There are options, such as testing and certification marks, which could help with self-regulation. However, consumer demand for new and ever cheaper electronics means that manufacturers have little incentive to co-operate and that government regulation may be the only longer term solution.
The opinions and views expressed in this publication are those of the authors exclusively and do not purport to reflect the opinions, views or official policy position of AusPayNet or its members.