IoT Regulation Could Save the Internet

"The Internet of Things leads also to the Internet of Threats because, obviously, every device that has [connectivity to] the Internet built into it becomes subject to hacking; that's just the bottom line," said US Senator Edward Markey (D-Mass.) in a Senate Subcommittee hearing last year. "If you don't deal with the threats, then all you are doing is ignoring the inevitable problems that are going to be created."

Markey is known for having IoT regulation as a pet issue -- particularly when it comes to automobile connectivity (he has dubbed modern cars "computers on wheels"). Four years ago, Markey and fellow US Senator Richard Blumenthal (D-Conn.) pressed automaker executives on the issue of cybersecurity in their vehicles. Since then, Markey has grown fond of saying, "Thieves no longer need a crowbar to break into your car; they just need an iPhone."

Markey isn't far off the mark. Hackers have time and again demonstrated proofs of concept that cars can be hacked -- while being driven -- such that they can be completely controlled and cause massive damage to the car, to people in the car, and to others.

Other forms of IoT bear their own hackable forms of lurking danger, too. While cybersecurity pundits and government entities alike have voiced fears of the Internet of Things becoming an Internet of Murderables (See: A Killer App), the more realistic and common problems of IoT security are far more mundane yet still highly destructive -- such botnets spreading ransomware and perpetrating DDoS attacks. (See: How Secure Are Your IoT Devices?)

Indeed, Markey and other politicians have stretched their IoT interests beyond basic motor-vehicle and medical-device safety. At the start of 2015, the Federal Trade Commission ("FTC") released a report on IoT data-protection issues based on a series of workshops the Commission had held in 2013. In it, the FTC -- already all powerful over nearly all things consumer protection in the United States -- argued that it needed more "technology-neutral" legislation to act to regulate IoT data privacy. For all the good the FTC's technology-neutral power has done to protect consumer data privacy, consider the current case of Uber and its data-breach cover up -- which happened while the FTC was already looking over its shoulder subject to a 20-year consent order.

This is perhaps a key point in the cybersecurity regulation debate. Without question, Uber has earned its reputation as a data-protection bad guy. Some technologists feel that IoT cybersecurity laws and regulations will do more harm than good -- flogging the peasants instead of punishing the princes.

"This is an area of intense debate," Chris Richter, senior vice president of Global Managed Security Services at CenturyLink, told Security Now. "There is one school of thought that the federal government and foreign governments need to set IoT security standards and just make a policy -- and the other half says, 'No, you get government meddling in it and it will just increase cost, it will slow down commerce, and they'll do a poor job of implementing security controls for IoT.' "

On the pro-regulatory side, CTO of IBM Resilient and Cybersecurity Expert Bruce Schneier has proposed creating a new regulatory agency specifically governing the Internet and connected devices -- similar to how the Federal Aviation Administration ("FAA") regulates aircraft and airspace - because the "freewheeling" and "integrated" nature of our new IoT world can be ambiguous when it comes to government oversight and jurisdiction.

"Our world-size robot needs to be viewed as a single entity with millions of components interacting with each other. Any solutions here need to be holistic," argues Schneier. "They need to work everywhere, for everything. Whether we're talking about cars, drones, or phones, they're all computers."

Richter, for his part, falls in the opposite camp when it comes to IoT regulation -- believing that industry can and should solve this problem itself, creating a sort of Good Housekeeping seal of approval for IoT cybersecurity. To this end, Richter argues that IoT cybersecurity can be sold as a feature -- even to consumers.

"I think most people would pay a little bit more for a refrigerator that [they] knew wasn't hacking [their] home network," says Richter. "I'm not a consumer marketing expert, but… I would certainly pay more for that kind of assurance."

From there, Richter argues, the customer's imagination may run wilder than the actual likelihood of damage.

"Most consumers don't really understand how security works, but they're thinking, 'Hey, if I don't buy the refrigerator that has the security seal of approval… is a hacker going to get into my [refrigerator] and then into my bank accounts?' " said Richter. "That's the leap that a lot of consumers will make -- [that] it's going to get into everything."

Proponents of IoT security regulation, however, argue that the free market fails on this issue from a strategic-modeling standpoint -- even setting aside the extreme dystopian fantasies of zombie cars and sabotaged pacemakers.

"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features," argues Schneier. "There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

Richter disagrees, stating that IoT devices' fundamental functionalities can indeed be hampered by even botnet malware. A "smart" appliance "disrupted" too badly by malware may stop functioning, claims Richter -- much the same way that an infected computer may slow down to the point of being nearly non-functional.

Moreover, hacked access to but one connected device on a network can lead to hacked access to other devices on a network. Thus, an entire "smart home" may become hacked into via a single device's vulnerability.

Meanwhile, on Capitol Hill, Markey has proposed a bit of baby-splitting. He and Congressional Representative Ted Lieu (D-Calif.-33) recently introduced bicameral legislation to create a "voluntary cybersecurity certification program" for all connected instruments sold in the US -- computers, phones, and IoT devices. Dubbed "the Cyber Shield Act," the bill is something of a half-measure compromise between IoT regulationists and IoT free-marketers. If passed, the bill would direct the Secretary of Commerce to create a "Cyber Shield Advisory Committee" -- comprised of members from both the private and the public sector -- to advise on cybersecurity issues and best practices for IoT and other connected devices.

To this end, Markey and Lieu's bill is to strengthening IoT security what the Digital Security Commission Act -- introduced nearly two years ago by Senator Mark Warner (D-Va.) and Rep. Mike McCaul (R-Tex.-10) -- was to weakening private-sector encryption. Some cybersecurity and privacy advocates opposed the McCaul-Warner bill, criticizing it as little more than a way to exert pressure on the InfoSec community into doing the government's anti-encryption bidding -- coming in the disguise of a collaborative compromise. (The McCaul-Warner bill apparently died in subcommittee about a month after it was introduced.)

The Markey-Lieu bill, however, shows signs of potentially being less about government coercion and more about actual voluntary standards setting. The legislation's key feature is that the Cyber Shield Advisory Committee would also offer a "Cyber Shield" seal -- similar to the kind of seal Richter favors -- for device makers and sellers to put on devices that meet the Committee's standards.

It remains to be seen how much support the bill gains -- let alone how effective it could actually be. It remains entirely possible, regardless of how things turn out with Markey's legislation, that the federal government's direct involvement is inevitable.

"[IoT has] lot of different security requirements, and the effects of getting them wrong range from illegal surveillance to extortion by ransomware to mass death," observes Schneier. "Governments will get involved, regardless. The risks are too great, and the stakes are too high. Government already regulates dangerous physical systems like cars and medical devices. And nothing motivates the US government like fear."

Related posts:

— Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.