Balancing Act of Regulation and Innovation

This article is a precursor to a more in-depth analysis of Security by Design/Default principles for IoT device producers by proving an overview of the current requirements for security within the expanding IoT industry. The aim is provide some food for thought before delving deeper into the specifics of IoT regulation and legislative control.

As discussed in the blog post Connectivity and Vulnerability: An Examination of Cybersecurity Threats resulting from IoT Development, IoT devices and capabilities will continue to play a significant part in future business capabilities. In addition, due to the complexity of these devices and their capabilities, threats from malicious actors, as well as intrinsic vulnerabilities will exist. The logical approach to ensuring that IoT devices are kept as secure as possible rests upon the premise that security prioritization begins during development and production phases. Security is a particularly difficult measure to implement retroactively, requiring improvements to both software and hardware.

Risk arises from both known and unknown elements

To paraphrase Tim Stevens, risk arises from both known and unknown elements; the onus of protection regarding known risks rests most strongly upon the producers of IoT devices to ensure that they are implementing a satisfactory degree of security in their products, in order to mitigate future unknown risks. However, the conflict between the rapid development of IoT, and legislative regulation, is yet to be resolved to any satisfactory degree.

IoT Regulation through Legislative Action

In September of 2018, The Washington Post reported that a Bill (SB-327) was awaiting the signature of Gov. Jerry Brown (D) of California which would require IoT device manufacturers to implement basic device security measures. At this time, the Bill has been signed and will come into power as of January 1, 2020.The Bill is seen in both a positive and negative light however. The Bill itself states that:

1.81.26. Security of Connected Devices
1798.91.04.

(a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:

(1) Appropriate to the nature and function of the device.

(2) Appropriate to the information it may collect, contain, or transmit.

(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:

(1) The preprogrammed password is unique to each device manufactured.

(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

The positive aspects of the Bill are that finally, steps are being taken to ensure that there is a legal basis for a minimum standard of protection required for all IoT devices which are manufactured. This will serve to protect those devices which are currently produced without adhering to industry ‘best practices’, and create significant risk for the users of the devices.

The negative takeaway is that the wording of the Bill is rather vague, and seems to leave the onus of determining what exactly can be considered “appropriate”. Additionally, there is no information which sets out clearly defined requirements for what constitutes a ‘security feature’.

It is quite possible that in the near future, there will be a security feature requirements catalogue and certification process for IoT devices. However, this will serve to increase the workload for innovative device manufacturers, and the complexity of the IoT environment. In an International Electrotechnical Commission Whitepaper of 2016 entitled IoT 2020: Smart and secure IoT platform, the problem of governmental control over IoT regulation was already noted. The problem was, that “government bodies strive for regulations that  provide a proper balance between supporting helpful innovation and protecting consumers” and that the search for this balance was “causing significant confusion in the marketplace and adding to the complexities of designing, building, deploying and operating both homo- and heterogeneous systems within and across geopolitical boundaries.”

Innovative Liberty or Risk Promotion?

The problem mentioned above is significant when considering the fact that a huge range of business opportunities are arising from the continued, somewhat unhindered (or overly regulated) development of IoT technologies. An excess of regulation stymies development, which restricts market growth, and results in a negative economic effect. Uncertainty between IoT manufacturers and regulators can lead to an environment wherein regulators are forced to play ‘catch-up’ in order to regulate new developments in IoT technology, and manufacturers slow their research and development efforts due to concerns which arise from the unknown of when and how their projects will be impacted by newly implemented regulatory requirements.

As Deloitte, future developments within the IoT industry will require us to adapt service offerings and to cater our approach to the specific needs of our clients. As part of our offerings, we seek to share our experiences and knowledge in order to build awareness. We look forward to delving further into this topic in the next Blog Post and discovering more opportunities together.