As the number of Internet-connected devices continues to proliferate at an exponential rate, governments in both the UK and United States are racing to beef up the consumer protections included on those devices. In the U.S., for example, California became the first state to pass an Internet of Things (IoT) security law, which is scheduled to go into effect in January 2020. In Britain, the UK government has just introduced a new draft law that will require certain cyber security features to be built into IoT products and clearly labeled on the package. Both of these IoT security laws could become templates for other nations looking to improve the security of so-called “smart” devices hooked up to the Internet.
Context for the new IoT security laws
Prior to 2016, consumers and governments gave little or no thought to the cybersecurity protections built into Internet-connected devices, or to how simple security vulnerabilities of those devices could lead to real-world problems. But then came the infamous Mirai attack of 2016, in which hackers were able to compromise Internet-connected devices around the world and combine them into a massive botnet capable of taking down the world’s most popular websites via a spectacular denial of service attack. At the same time, the popular media began to fill up with stories of glaring security breaches in Internet-connected devices (such as devices that all came preinstalled with the same default password from the manufacturer), and spooky real-world scenarios of the types of cyber attacks that might happen if criminals or other nefarious actors hacked into Internet-connected toys, medical devices or home sensors.
That all set the stage for the first attempts at passing strong IoT security laws to put into practice stronger security measures. The U.S., for example, saw several IoT security laws – such as the 2017 IoT Consumer TIPS Act – introduced in Congress, only to fall short of a final vote. The momentum began to change in 2018, however, when California passed the first of the new IoT security laws. The idea of the new California law – known as SB 327 (“Information Privacy: Connected Devices”) – is to require all devices connected to the Internet to have “reasonable security features” that “protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.” At the same time, in an effort to protect personal data, SB 327 bans the use of default passwords for Internet-connected devices.
Pros and cons of the California law on IoT devices
So did the new California law on consumer IoT security go far enough? Critics say that the new IoT cybersecurity law essentially just aimed for the lowest-hanging fruit possible (default passwords), and then contained a vague phrase (“reasonable security feature”) that could be interpreted in a large number of ways by any device manufacturer. Plus, as some critics have pointed out, there are some authentication steps that are not password-reliant that also use default settings, and these would seemingly not be covered by the California law.
On the other hand, proponents of SB 327 say that the California law is a good first step in making sure that consumer IoT devices are as safe as possible. Plus, since California is the home of Silicon Valley tech giants, any changes made by companies based in California would likely filter out to other companies around the nation, and most likely, around the world. At some point, even a Chinese device manufacturer would have to play by certain rules if they planned to sell a product to U.S. citizens and avoid the oversight of an attorney general looking to enforce IoT security laws.
New steps by the UK government to address IoT security
The U.S. is not the only nation to take a much harder look at IoT security laws – the British government has also been taking steps to improve the security of connected devices. Back in October 2018, the government passed the IoT voluntary Code of Practice (COP) for consumer IoT that attempted to codify all best practices in one place.
Similar to the California IoT law, it attempts to clamp down on default passwords and beef up security requirements. All IoT devices must come with unique passwords, and they must include certain protections that prevent consumers from switching them back to factory-ready default settings. The thinking here is that unique passwords will prevent a repeat of the infamous Mirai botnet, which exploited the fact that most devices back in 2016 all came with the same passwords. Once a hacker knew one password, then, the hacker knew the password for tens of thousands of devices.
Also included in the COP is the fact that manufacturers of IoT devices must provide a public point of contact, such that consumers know whom to contact if they have security questions about their devices. Moreover, via a vulnerability disclosure, manufacturers must state the minimum length of time for which the device will receive security updates. This would let consumers know how long a device is “safe” to use (after the minimum length of time is over, presumably, the device would essentially become a ticking time bomb, capable of being exploited by hackers).
At the same time, the UK government, led by Digital Minister Margot James, is testing various label designs for IoT security. The UK would like to introduce a mandatory labeling scheme that would tell consumers just how secure their smart devices really are. Once the final label is approved, the onus would then be placed on retailers; they would only be able to sell connected products with this IoT security label.
The concept of “secure by design”
These various iterations of IoT security laws hint at a basic concept that is becoming increasingly mainstream: “Secure by design.” What this means in practice is that security should be something that is built into a product before it ever gets to the production phase. In contrast, in today’s modern digital culture, it almost seems like security features are grafted on at the very end (or after it’s too late), rather than designed into the product from the very beginning. In the UK, both the Department of Digital, Culture, Media and Sport (DCMS) and National Cyber Security Centre (NCSC) have embraced this concept.
The big question, of course, is how consumers will respond to this new “secure by design” mandate. One allure of smart devices at this point is just how cheap and easy they are to use – instead of having to sit down and worry about security settings, these devices were basically plug-and-play. Plus, since manufacturers spent little or no time thinking about security, there were no extra costs to pass on to the consumer. That led to a wide range of products at relatively low prices. That could change in 2020, when the first wave of these IoT security laws goes into effect. Given that Gartner now predicts there will be over 14 billion Internet-connected devices in use worldwide by the end of the 2019, the timing is particularly relevant and timely.