IoT Regulation: Disarming a Ticking Security Time Bomb

On the morning of September 29, 1982, a twelve-year-old girl in the Chicago suburbs woke up feeling sick. Instead of going to school, she says home and takes a Tylenol early in the morning. She dies shortly after that. Not far away, around noon that same day, a 27-year-old postal worker takes two Tylenol and is pronounced dead a few hours later. In a sick twist, his brother and sister-in-law come to mourn his death and take pills from the same bottle, and both share his fate. Within days, a total of seven people died as investigators learn that someone had tainted Tylenol bottles throughout the Chicago area with cyanide.

The drugmaker, Johnson & Johnson, responded by orchestrating an unprecedented recall of 31 million Tylenol bottles and offering free replacements. FDA established new packaging guidelines by November and, in 1989, mandated that all over-the-counter drugs be enclosed in tamper-evident packaging—seven years after the Tylenol scare.

“When it comes to regulating the Internet of Things, I would suggest that we don’t have seven years,” says Craig Spiezle, executive director and CEO of the Online Trust Alliance (OTA) and strategic advisor to the Internet Society. The risk of failing to properly regulate IoT devices could trigger long-term consequences—similar to global warming or industrial pollution, he says.

With IoT, internet security applies to seemingly everything—from cars to airplanes to industrial facilities to home devices. Widescale connectivity, however, invites problems. It opens up, as OTA has termed it, “a treasure chest ripe for abuse by white-collar criminals, terrorists, and state-sponsored actors.” “This is no longer an online security issue but an offline safety issue, so the threats of your physical life and safety are huge now, and real harm will occur,” Spiezle explains. “Now it is the time to build security and privacy controls into products for when they ship and update through their life.” (OTA has developed what it calls “the IoT Trust Framework,” a set of fundamental requirements for IoT devices.)

Such risks invite government intervention, as has been the case with food safety, aviation, the automobile industry, household products, and financial products. “I don’t think a ‘none-of-the-above” approach to regulation will work anymore [for IoT],” said Bruce Schneier, chief technology officer of IBM Resilient earlier this year at the RSA Conference. “The physicality of the IoT will spur governments to action. My proposal in the U.S. is I think we need a new regulatory agency,” Schneier explains. “Think of 9/11 leading to the Department of Homeland Security.”

No Perfect Security, No Perfect Privacy, and No Clear Leader

“I don't believe that any system is totally secure,” declared Matthew Broderick in the 1983 Cold War sci-fi film. Those words still apply to software security. “Bad things will happen to good companies,” Spiezle says. “No matter how hard you work to develop a secure product today, in the future, there will be a vulnerability.” With the uptick in connected objects surrounding us, the same general principle applies to privacy. And already this year, there have been several reports of everything from smart TVs to digital assistants like Amazon’s Echo to smartphones surreptitiously snooping on consumers.

While there is some amount of consumer outrage around such events, it pales in comparisons to events that result in physical injury or fatalities. “If you buy an IoT toy and it explodes, there will be repercussions,” said Bruce Schneier in a session at RSA Conference. “But if it joins a botnet and DDoSes people across the planet, no one cares.”

When a product poses a risk to consumers physical safety, the threat of liability is clear. But applying liability to privacy is a different matter entirely. “It is very hard to prove that somebody got hurt because their data was collected and their insurance premium went up, or they didn’t get a house loan because of their behavior throughout history,” says Olaf Kolkman, chief internet technology officer with the Internet Society.

Such matters can be as difficult for policymakers as they are for vendors. The former likely doesn’t have a clear understanding of what is possible with the latest technology. The latter group isn’t likely to think about such matters. “If you are in the refrigerator industry, you likely don’t have a good sense of issues like privacy, collection of data, and the risks involved in storing data in the cloud,” Kolkman says.

“We really need some leaders to step forward right now,” Spiezle says. But many technological vendors are fearful to step up. “They are concerned that if they come out today and say that they are committed to security and privacy, they will get beat up if something bad happens tomorrow.”

Ultimately though, there is no magic bullet when it comes to Internet of Things security. Neither the industry nor regulators are up for the job alone. “There needs to be an ongoing dialog. You have to address IoT security risks in an internet-sort-of way,” Kolkman notes. There is no central leader or central place that makes all of the regulations for the internet—instead, entities from across the internet take some responsibility to improve the system as a whole. “That means you have to act locally and organize yourself locally and have a global perspective. Keep the dialog going and nurture a sense of accountability throughout that ecosystem,” Kolkman adds.

U.S. Government Taking It Slow for Now

The prospect of regulating the Internet of Things, however, is inherently difficult given the mismatch between technology and government. In addition to the fast vs. slow dichotomy, there is also the fact that the Internet of Things tends to be a silo-busting technology. Conversely, the U.S. government is organized into discrete organizations such as the FCC, FAA, FDA, and so forth. Between the agencies, there tends to be a mixture of overlapping and non-overlapping rules, and few bureaucrats tend to be tech savvy.

In the United States, another wrinkle is President Trump’s stated rule of eliminating two regulations for every new one that is enacted. Acting Federal Trade Commission chair Maureen Ohlhausen has stated that she’d rather wait until potential IoT problems show up before regulating the industry. “We’re not saying: ‘Let’s speculate about harm five years out,’ but ‘Is there something happening that harms consumers right now or is likely to cause harm to consumers?’” Ohlhausen recently said per The Guardian. “We don’t know if that risk will materialize. It may well materialize, but a solution may materialize at the same time.”

But at present, many observers are pleading that the U.S. government step in and regulate connected devices. “IoT Security must be treated by the Trump administration and regulators as a national security threat,” says Dilip Sarangan, IoT global research director at Frost & Sullivan. “Currently, there are billions of devices that communicate with each other over the Internet. While cellular carriers, network infrastructure vendors and large companies in IoT have taken measures to secure their networks, there are thousands of developers creating IoT applications and hardware that do not adhere to these guidelines. The only way to secure devices is to establish standards for developing and securing hardware coupled with stringent security measures from the various federal agencies,” Sarangan concludes.

Over the past few months, a variety of federal agencies has issued guidelines related to securing the Internet of Things. “However, it is critical for these federal agencies to move things one step further and develop regulations that put the onus of securing IoT devices on developers, networking companies, and systems integrators,” Sarangan notes. “This step would ensure that large vendors work together to develop standards that ensure IoT device security and eliminate the weak link in the chain.”

For the time being, however, there are regular reminders of the risks posed by connected devices, ranging from hacked vehicles, transit stations, airplanes, industrial facilities, and botnets that can bring down swaths of the internet. Just this past weekend, someone hacked into all 156 of the emergency weather sirens in Dallas, TX. The sirens blared for an hour and a half, kicking off 18 minutes before midnight. Though a reminder of the havoc hackers can do with connected municipal devices, it was at least a false alarm.