Some form of regulation of IoT seems likely, although both scope and timing are up in the air

  • Security professionals encourage Internet of Things (IoT) regulation 

  • US regulators remain to be convinced 

  • Parties in the debate accused of squabbling 

  • Dutch MPs press the EU to regulate the 'Internet Of S**t' 

 

Sources: SC Media; CIO; Constellation Research; Sputnik News

 

Summary: Recent denial of service attacks from IoT devices sparked discussion as to the need for specific regulation. Proponents argue the economics of IoT mean there is no incentive to fix the issue. While self regulation and test marks can help, long term additional regulation seems likely.

 

 

Point of View

Bruce Schneier, Fellow at Harvard University, and other professionals argue that the economics of IoT devices for both manufacturers and consumers mean that there is no incentive for solutions to the recent security breaches to be brought to market. As critical infrastructure becomes more interconnected, the potential impact becomes more severe. Senator Walden, chairman of the Subcommittee on Communications and Technology, is not convinced stating that “The United States cannot regulate the world”. Schneier’s response is that by setting a standard, others will follow.

 

Some American lawyers also argue against more regulation, suggesting that it’s the service provider of the device that is liable to ensure it meets the user’s requirements. They caution that specific regulation may hold back an emerging sector. In the context of providers of specific services, such as automobiles and healthcare, there may be a relatively clear path to the provider (although not necessarily if the device relies on data from other providers). For consumer devices, where the security flaw may enable a denial of service attack on a third party, for example, then identification of the liable service provider seems less clear. The argument presented suggests that this is best tested in court.

 

In the EU, the impact of networked IoT devices has the potential to be addressed by regulations for data privacy and cyber security. Both the General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive were adopted by the EU in early summer 2016 and come into force at national level in two years. The NIS directive requires essential and internet exchange services (such as search, cloud providers and marketplaces) to be secure and, therefore, does not necessarily include consumer devices. It is debatable as to whether this addresses the issues raised above. As the Directive is still to be transposed into national law, the scope may extend.

 

 

Implications

Differing opinions between security professionals and regulators suggest specific regulation for IoT is still some way off in the US. In the EU countries, new regulations arrive in two years which cover essential internet services (including banking). So, as things stand, service providers using IoT devices are likely to be liable for specific circumstances, rather than manufacturers being compelled to meet specific standards. Whether liability extends into the consumer sector may depend on the ongoing effects of security issues.

 

There are options, such as testing and certification marks, which could help with self-regulation. However, consumer demand for new and ever cheaper electronics means that manufacturers have little incentive to co-operate and that government regulation may be the only longer term solution.

 

 

The opinions and views expressed in this publication are those of the authors exclusively and do not purport to reflect the opinions, views or official policy position of AusPayNet or its members.

 

 

 

Please reload

Consumer
Centric
Technology and Innovation
Policy and 
Regulation
ARCHIVES
Please reload

Disclaimer

The opinions and views expressed in this publication are those of the authors exclusively and do not purport to reflect the opinions, views or official policy position of AusPayNet or its members. This publication is also subject to the AusPayNet Terms of Use and Privacy Policy available on the AusPayNet website.

 

Copyright © 2017 AusPayNet. All rights reserved.  

Read full Terms of Use

Privacy Statement