Though much celebrated, the Internet of Things (IoT) has nevertheless opened a Pandora's box of new challenges in Internet security and data privacy. The need for some sort of oversight seems long overdue. But who should be responsible for ensuring safer IoT devices? Can manufacturers be trusted to provide effective safeguards on their own? Or will government be required to step in?
On March 11, 2019, members of the US Congress suggested a partial answer when it put forth the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, which aims to "leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices." While the legislation does not demand standards, if passed, manufacturers must provide devices that are inherently more secure by design — in other words, constructed with internal security features and password protection — to be eligible for lucrative government contracts.
It's been a slow process. IoT devices, after all, have been around for almost 10 years, and US government agencies were aware of security issues at least by 2015. Nevertheless, many cybersecurity experts were suggesting legislation would be a "legal nightmare" and that the only solution was self-regulation. It was a similar situation in the UK. The UK government had previously stated its preference that the industry self-regulate, with some regulation where necessary. But it, too, is in the process of enacting laws aimed at better securing and protecting the data collected by connected devices.
What changed? There are still significant problems with many IoT devices currently available. Cybersecurity experts are also concerned about the longevity of these devices and the ability of manufacturers to provide security updates in a timely manner. A lightbulb may be short lived, but the lifespan of the average refrigerator is between 14 and 17 years. Will the manufacturer even still be in business then?
For these reasons, I think it's also inevitable that future legislation will go much further and establish basic security standards for all devices sold in the US, similar to California's IoT security law SB-327, which prohibits the use of easily hacked default passwords. Nevertheless, while government legislation has the potential to influence manufacturers and suppliers of IoT devices, it's important to look at the big picture.
At this time, we're just at the beginning of an important conversation about the future of our homes and cities, which must also involve many other players in the industry, such as network operators, service providers, cybersecurity professionals, educators, and consumer groups.
While the US Congress is focused on state-level security, privacy concerns of consumers must also be taken into consideration. According to a recent report from Consumers International and the Internet Society, 77% of respondents said data privacy and security are key contributors to their device buying decision-making. Nearly a third of respondents (28%) who haven't yet purchased a smart device said they will not buy one due to privacy and security misgivings.
Manufacturers are well aware of these concerns. Indeed, to protect their own reputations and businesses, they may go beyond any future government guidelines because a major security breach could be disastrous for them. Samsung, for example, recently revealed — completely on its own initiative — that some of its televisions have vulnerabilities and provided scanning information online. Consumers, after all, do need to stay informed and take some responsibility for their home network safety. But that smart TV is just the beginning.
According to Gartner, by the end of this year, globally, around 14 billion IoT devices will be connecting to the Internet, and that number is predicted to grow to 25 billion devices by 2021. As a number of recent reports have shown, just one vulnerable IoT device can jeopardize an entire home network and threaten a person's privacy and personal security. Where infrastructure is concerned, the security and trustworthiness of an organization or even a public utility may be at risk. If we're to avoid another disaster like that which affected Ukraine, when Russian hackers were able to shut down portions of its power grid, we must work together to ensure everyone's concerns are being heard, from cybersecurity experts to city planners, especially with the further development of 5G networks.
For that reason, smart city conferences, focused on IoT security for industry and citizens, have begun to appear. In 2018, Tel Aviv hosted its first cybersecurity conference for "smart cities" attracting over 7,000 people, including 80 delegations from municipalities around the world.
Bringing together governmental representatives, cybersecurity professionals, tech giants, consumers, and researchers is definitely a step in the right direction. To learn and share knowledge, for example, at SAM Seamless Network, we have partnered with Internet service providers, gateway and IoT manufacturers, global device suppliers, and antivirus companies. We also participate in many working groups to influence the market on a higher level. In the end, securing IoT devices must be a joint effort.
Manufacturers must make IoT devices with the highest possible security measures built in, and make it easy for consumers to change passwords and update firmware. Consumers, for their part, must be prepared to learn how they can protect themselves. Internet service providers can protect the gateways to home networks. Governments must think and plan ahead, using the best data from all available sources, and with the input of consumers and vendors.
By working together, government, industry, SMBs, and consumers will enjoy all the benefits smart, secure IoT devices can offer, including more efficient homes and safer, more productive smart cities.