New international laws and standards are expected to change that situation soon. New international laws and standards are expected to change that situation soon. A lot has been happening in IoT cybersecurity in the last three months. It was recently discovered by researchers from Unit 42 that criminal botnets tried to worm their way into hundreds of millions of smart devices afflicted with the CVE-2021-35394 vulnerability from August to December last year to gain access to them. A few weeks before, Microsoft warned that hackers were using a discontinued web server still commonly accessed by security cameras and software development kits. It is also important to remember the scandal of the Roomba customers who discovered screenshots of their homes being posted on Facebook. This incident stemmed from an AI training program for these devices that many users have complained they weren’t fully aware was taking place.
It is a situation that unnerves Madeline Carr, and it’s one that she believes has largely been brought about by the fact that there has been a total lack of consensus among legislators regarding how IoT devices should be properly secured. In a recent essay for the World Economic Forum, Carr, a professor at University College London, argues for much tighter legal governance regimes for IoT in the context of global politics and cyber security. In most of the world, she explains, there are simply no rules or regulations directly governing how IoT devices should be secured against hacking or privacy violations, leaving it up to companies within the space to decide how to protect consumers from these threats.
Carr argues that many people are still uninterested in the problem or cannot fully comprehend it. In her opinion, many manufacturers are unaware of the implications of their products and don’t even realize they are doing so. Let’s take a look at an average smart doorbell. Because you don’t know what context it will be used in, you don’t know what level of security it might need or whether it might not need any security at all.
In contrast, companies that take an active interest often rely on a patchwork of international standards that offer guidance on maintaining interoperability and security (and how not to violate privacy laws) but remain mostly voluntary. In Carr’s view, these documents are ways for manufacturers and service providers to say, “Alright, if I do my thing this way, it will be interoperable, or it will be considered safe or appropriate.” Consumers and companies should be able to agree on the exact interpretation of what is and isn’t appropriate for IoT privacy and cybersecurity.
It is rare for them to do so, which results in strange and troubling variations in the levels of protection built into individual products and legal absurdities arising from laws never designed to deal with the challenges presented by IoT. For example, Tesla vehicles come equipped with a cornucopia of sensors and cameras, so many that the Bavarian Data Protection Authority has said owners using that feature are fully-fledged data controllers under GDPR.
As a result of a disagreement over governance standards, there is a greater risk of cybersecurity breaches. Many IoT devices have been forced into criminal botnets in recent years, contributing to DDoS attacks and ransomware attacks. As a society, we are becoming increasingly vulnerable to cyberattacks as we become more dependent on IoT. Carr says that we are building porosity into our critical information infrastructure by embedding millions of unsecured mobile devices into our built and natural environments. There’s simply no way to retrieve those devices once they’ve been proven to be problematic.
There is good news: reform is on its way, and, in the case of the UK, it has already begun. The Product Security and Telecommunications Infrastructure (PSTI) Act was passed last month. Firms that manufacture, import, or distribute IoT devices must comply with stringent new security requirements under the legislation. Additionally, the law requires companies to investigate, act on, and maintain a record of all cybersecurity failures and to prevent the distribution of insecure products. As a deliberate imitation of EU GDPR penalties, non-compliance with the PSTI Act invites a fine of £10m or 4% of worldwide revenue. Businesses will have at least 12 months’ notice before the law takes effect to prepare, although the specific regulations underpinning the law have not yet been released.
In this area, the US has also proposed new regulations. With the Biden administration’s labeling initiative, all IoT devices will clearly explain security information relevant to the product through simple labeling. A QR code would also inform consumers how to protect themselves against cybercriminal gangs. The progress on IoT governance cannot stall, says Carr. At issue is the future of a technology that, at its core, promises to make life better, safer, and in some cases, longer for those who use it. As soon as IoT devices are manufactured, we must agree on cybersecurity and privacy rules so people can trust them.
Wallet ecosystems support financial transactions across the internet, which is a good example of the kind of balance that can be struck between IoT functionality and safety, says Carr. “Those sectors are aware that losing people’s trust in online banking would be catastrophic to their business models,” she says. Additionally, stakeholders should not need to attend an international conference to get there. “It’s not about everyone having the same law or international agreement about what our laws should be,” Carr says, but the advancing consensus around IoT governance gradually.
