|
This article was co-authored by Wiley Rein LLP partner Megan L. Brown and attorney Michael L. Diakiwski, who both practice in the firm’s Telecom, Media & Technology and Privacy & Cybersecurity practices.
Security for Internet-connected devices, the “Internet of Things” (IoT), is critically important. Now, more than ever, it is top of mind for device manufacturers, network operators, consumer advocates, lawmakers, and government regulators—domestically and internationally. In the face of recent attacks, government authorities and consumer advocates have proposed legislation, frameworks, certifications, and labeling schemes.
A sense of urgency to act must not threaten the efficacy of IoT devices or stymie innovative applications with premature or oversimplified approaches. Below we explore some of the proposals to enhance IoT security and underscore key principles, which should be followed to ensure that the marketplace continues to produce innovation beneficial across the globe.
Greater Use, Greater Threat
In 2017, worldwide demand for IoT devices skyrocketed. Networked devices have become, to a large degree, essential in many respects. It is estimated that more than 8.4 billion devices were in use in 2017, which was more than a 30% increase from the year before. [1] Every hour, a million new IoT connections are made and future predictions are even more staggering. [2] Ericsson estimates that between 2015 and 2021, the number of IoT-connected devices will grow by 23% each year. [3]
“Smart” devices will have profound impacts on our daily lives, with medical devices identifying diseases earlier and enhancing patient treatment, sensors improving efficiencies in farming and agriculture, controls monitoring and conserving energy use, and consumer devices simplifying everything from seamless global communications to residential security and entertainment.
But this explosion of connected devices comes with security implications. Unsecured devices can become infected with malicious code and be redirected without the knowledge of end users. This type of infected network, called a “botnet,” can be used to launch distributed denial-of-service (DDoS) attacks, which can overwhelm networks and systems, causing them to fail.
In 2016, the largest DDoS attack to date, called the Mirai botnet, was launched against a major domain name system provider. This global botnet targeted the service provider, leading some of the most popular destinations on the Internet to go down. Other attacks target specific “devices”—such as connected vehicles and medical devices—and can result in a “hijacking” of the device, with the user or operator losing control of device itself.
Draft Legislation Aims to Tackle IoT Security
Some lawmakers feel the need to act. 2017 saw the introduction of a multitude of bills in Congress, aiming to enhance IoT security and end-user awareness.
For example, last October, the Cyber Shield Act of 2017 was introduced in the House and Senate. [4] The Act would direct the Department of Commerce to create a voluntary self-certification program that would independently identify, verify, and label compliant IoT devices with strong cybersecurity standards. Companies that meet the standards could display a compliance label on their products. The labels may be in the form of different “grades” that indicate the extent to which a product meets “industry-leading cybersecurity and data security benchmarks.” The bill is discussed in more detail here.
Last summer, a group of U.S. Senators introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, [5] which would require companies selling connected products to the government to make commitments about security and expand device support. It would also create guidelines for each agency to impose vulnerability disclosure requirements. A description of the bill can be found here.
Another bill, the IoT Consumer TIPS Act, [6] would require the Federal Trade Commission (FTC) to develop guidance to help consumers improve their cybersecurity practices with respect to connected devices. It is discussed further here.
Additionally, the FTC has confirmed that it will be vigilant about IoT security and released updated guidance about compliance with the Children’s Online Privacy Protection Act (COPPA), [7] confirming that COPPA does apply to IoT devices.
Calls for IoT “Standards” and Labeling Persist
Domestically and internationally, efforts are underway to establish minimum standards, certifications, or labeling schemes related to IoT security. Privacy and consumer advocates are developing proposals to reshape the certification and labeling of consumer devices.
In March 2017, Consumer Reports announced its “Digital Standard,” [8] “an ambitious ... effort to shape the digital marketplace in a way that puts consumers’ data security and privacy needs first.” [9] The Digital Standard was developed by privacy and consumer rights advocates “to encourage industry to design and produce safer products for consumers.” It is far from perfect, however. It has prescriptive security requirements and seeks to alter private industry security designs, without first getting industry feedback in the Standard’s development. In March 2018, a year after its initial release, groups associated with the Digital Standard announced they would be seeking feedback from companies and other stakeholders to encourage broader adoption. [10] Yet the prescriptive nature of this standard may limit its broad application.
Consumer labels and disclosures about security are complex and should be carefully studied. Nuanced and variable information about technology attributes, security choices, end user behavior, updates, and third-party activity is not the sort of binary or objective data we are used to seeing on labels. Software lifecycle management is not like calorie information, and consumers may need more education about cyber hygiene than what fits on a label.
And the rest of the world is not sitting idly by.
In September 2017, the European Commission (EC) introduced a “Cybersecurity Package,” which includes a stringent certification scheme for connected devices. [11] In the “Cybersecurity Act,” the EC would establish rules to create certification schemes for particular Internet-connected devices and services. Presently, European Union member states may have varying requirements, and this framework seeks to coalesce around a more uniform certification. Under the proposal, the certification schemes would be voluntary, “unless otherwise provided in Union legislation laying down security requirements [for] products and services.”
Among other proposals in the EC Cyber Package, a joint Commission and industry initiative would seek to define a “duty of care” principle to help reduce the risk of product and software vulnerabilities and promote “security by design.”
In 2016, the Government of Japan released a “General Framework for Secure IoT Systems,” [12] which “aims to clarify the fundamental and essential security requirements for secure IoT systems.” Japan’s efforts to build upon this General Framework, enhance security more generally, and collaborate internationally remain ongoing.
Diffuse efforts around the world introduce additional complexity into the marketplace, with the prospect of compliance with multiple standards and regulatory requirements. Governments should support international standards work that harmonizes varied approaches to regulating technology.
Core Principles for IoT Security Policy
Flexible approaches to collaboration on shared threats have significant advantages over national regulation or labeling schemes, which can fragment the global economy and limit technological innovation. Manufacturers and vendors of connected devices should be encouraged to routinely evaluate and improve endpoint security. [13]
Security should be risk-based. The consequences for compromised or failed devices vary significantly based on the environments in which they operate. A television at home may not need to meet the same rigorous standards of a system control regulating the flow of water or electricity. Risk models differ, and so too should approaches to diverse devices.
Approaches to IoT security should be data-driven, based on empirical evidence of a specific harm. Security policy should be adaptable both over time and across borders. This counsels against ossifying technical requirements in regulation or law. And any government IoT strategy should promote technical compatibility and interoperability, here and abroad.
This is an international threat that no one nation or actor can solve alone; the international community must collectively condemn criminal activities that exploit the openness and connectivity of the Internet. Governments must work together to shut down the criminal networks that threaten the resilience of the Internet and IoT ecosystem.
Finally, public education about the threats and best practices in this space is essential. Because unsecured devices can threaten the broader ecosystem, end users need to be educated about their roles and responsibilities.
Conclusion
With so many ongoing and overlapping efforts, there is a danger of premature, ill-considered, and conflicting requirements and obligations.
Standardized requirements, certifications, and labeling schemes are not practical in an ecosystem of billions of devices, each with varying use-cases, risk profiles, and applications across industries. Indeed, labeling or security “ratings” can breed a false sense of security, contribute to over-warning, and generate needless consumer litigation.
Inflexible or prescriptive requirements, such as those proposed in the Digital Standard, do not serve to drive advancements related to security or innovation. The pace of change in technology is only mirrored, in some cases, by the threats and risks that develop. Security, as it relates to technology, is evolving constantly. For this vast ecosystem, in a rapidly developing and expanding marketplace, security must be a risk-based and non-prescriptive. This will allow the many opportunities and benefits that IoT devices bring to our society to be felt across the globe.
[1] Press Release, Gartner, Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent from 2016 (Feb. 7, 2017), https://www.gartner.com/newsroom/id/3598917.
[2] i-SCOOP, The Internet of Things (IoT)—essential IoT business guide, https://www.i-scoop.eu/internet-of-things-guide.
[3] Ericsson, Ericsson Mobility Report—On the Pulse of the Networked Society, at 3 (June 2016), https://www.ericsson.com/assets/local/mobility-report/documents/2016/ericsson-mobility-report-june-2016.pdf.
[4] S. 2020, 115th Cong. (2017), https://www.congress.gov/115/bills/s2020/BILLS-115s2020is.pdf. H.R. 4163, 115th Cong. (2017), https://www.congress.gov/115/bills/hr4163/BILLS-115hr4163ih.pdf.
[5] S. 1691, 115th Cong. (2017), https://www.congress.gov/115/bills/s1691/BILLS-115s1691is.pdf.
[6] S. 2234, 115th Cong. (2017), https://www.congress.gov/115/bills/s2234/BILLS-115s2234is.pdf.
[7] FTC, Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business (June 2017), https://www.ftc.gov/tips-advice/business-center/guidance/....
[8] The Digital Standard, https://www.thedigitalstandard.org/the-standard.
[9] Consumer Reports, Consumer Reports Launches Digital Standard to Safeguard Consumers’ Security and Privacy in Complex Marketplace (Mar. 6, 2017), https://www.consumerreports.org/media-room/press-releases/2017/03/....
[10] Inside Cyber, Advocates seek input on ‘Digital Standard’ for IoT devices (Mar. 16, 2018).
[11] European Commission, Cybersecurity Act, COM(2017)477 ( proposed Sept. 13, 2017), https://ec.europa.eu/info/law/better-regulation/initiatives/com-2017-477_en.
[12] National Center of Incident Readiness and Strategy for Cybersecurity, General Framework for Secure IoT Systems (Aug. 26, 2016), https://www.nisc.go.jp/eng/pdf/iot_framework2016_eng.pdf.
[13] For more principles and a broader discussion, see Principles for IoT Security, United States Chamber of Commerce, available at https://www.uschamber.com/IoT-security
This article was co-authored by Wiley Rein LLP partner Megan L. Brown and attorney Michael L. Diakiwski.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byWhoisXML API
You talk about security needing to be risk-based, but risk to whom? You mention a home television as posing less risk than a system controlling the flow of electricity. Notably absent there is any consideration of the risk that television poses to the electric-grid control systems if it’s for instance compromised and used as part of a botnet generating a denial-of-service attack on the electric-grid control system. This is the biggest risk from insecure IoT devices: a risk not to the owner of the device nor to the manufacturer but to a third party. You discuss these risks earlier in the article, so why are they absent at the end?
Thanks for reading! I don’t think these risks are absent from the end. We say “Risk models differ, and so too should approaches to diverse devices.” That includes risks to third parties too, which aren’t only solved at the device layer. And right before the conclusion we again note that risks of unsecured devices threaten the ecosystem. End users are important bc updates have to be deployed, users (and enterprises) can inadvertently undermine security and they need to know their decisions can have externalities. Our point is that prescriptive regimes or labeling aren’t likely to solve the problem and may do more harm than good. I love the feedback and discussion. I admire how communal the security community can be. Thanks!