We need stronger cybersecurity laws for the Internet of Things

Due to ever-evolving technological advances, manufacturers are connecting consumer goods -- from toys to lig...

Posted: Nov 11, 2018 3:22 PM
Updated: Nov 11, 2018 3:22 PM

Due to ever-evolving technological advances, manufacturers are connecting consumer goods -- from toys to lightbulbs to major appliances -- to the internet at breakneck speeds. This is the Internet of Things, and it's a security nightmare.

The Internet of Things fuses products with communications technology to make daily life more effortless. Think Amazon's Alexa, which not only answers questions and plays music but allows you to control your home's lights and thermostat. Or the current generation of implanted pacemakers, which can both receive commands and send information to doctors over the internet.

Automakers and manufacturing

Automotive industry

Business and industry sectors

Business, economy and trade

California

Computer science and information technology

Continents and regions

Digital privacy

Digital security

Internet and WWW

Internet of Things

North America

Software and applications

Southwestern United States

Technology

The Americas

United States

Communications law and policy

Computer and internet law

Law and legal system

Telecommunications industry

But like nearly all innovation, there are risks involved. And for products borne out of the Internet of Things, this means the risk of having personal information stolen or devices being overtaken and controlled remotely. For devices that affect the world in a direct physical manner -- cars, pacemakers, thermostats -- the risks include loss of life and property.

By developing more advanced security features and building them into these products, hacks can be avoided. The problem is that there is no monetary incentive for companies to invest in the cybersecurity measures needed to keep their products secure. Consumers will buy products without proper security features, unaware that their information is vulnerable. And current liability laws make it hard to hold companies accountable for shoddy software security.

It falls upon lawmakers to create laws that protect consumers. While the US government is largely absent in this area of consumer protection, the state of California has recently stepped in and started regulating the Internet of Things, or "IoT" devices sold in the state -- and the effects will soon be felt worldwide.

California's new SB 327 law, which will take effect in January 2020, requires all "connected devices" to have a "reasonable security feature." The good news is that the term "connected devices" is broadly defined to include just about everything connected to the internet. The not-so-good news is that "reasonable security" remains defined such that companies trying to avoid compliance can argue that the law is unenforceable.

The legislation requires that security features must be able to protect the device and the information on it from a variety of threats and be appropriate to both the nature of the device and the information it collects. California's attorney general will interpret the law and define the specifics, which will surely be the subject of much lobbying by tech companies.

There's just one specific in the law that's not subject to the attorney general's interpretation: Default passwords are not allowed. his is a good thing; they are a terrible security practice. But it's just one of dozens of awful "security" measures commonly found in IoT devices.

This law is not a panacea. But we have to start somewhere, and it is a start.

Though the legislation covers only the state of California, its effects will reach much further. All of us -- in the United States or elsewhere -- are likely to benefit because of the way software is written and sold.

Automobile manufacturers sell their cars worldwide, but they are customized for local markets. The car you buy in the United States is different from the same model sold in Mexico, because the local environmental laws are not the same and manufacturers optimize engines based on where the product will be sold. The economics of building and selling automobiles easily allows for this differentiation.

But software is different. Once California forces minimum security standards on IoT devices, manufacturers will have to rewrite their software to comply. At that point, it won't make sense to have two versions: one for California and another for everywhere else. It's much easier to maintain the single, more secure version and sell it everywhere.

The European General Data Protection Regulation (GDPR), which implemented the annoying warnings and agreements that pop up on websites, is another example of a law that extends well beyond physical borders. You might have noticed an increase in websites that force you to acknowledge you've read and agreed to the website's privacy policies. This is because it is tricky to differentiate between users who are subject to the protections of the GDPR -- people physically in the European Union, and EU citizens wherever they are -- and those who are not. It's easier to extend the protection to everyone.

Once this kind of sorting is possible, companies will, in all likelihood, return to their profitable surveillance capitalism practices on those who are still fair game. Surveillance is still the primary business model of the internet, and companies want to spy on us and our activities as much as they can so they can sell us more things and monetize what they know about our behavior.

Insecurity is profitable only if you can get away with it worldwide. Once you can't, you might as well make a virtue out of necessity. So, everyone will benefit from the California regulation, as they would from similar security regulations enacted in any market around the world large enough to matter, just like everyone will benefit from the portion of GDPR compliance that involves data security.

Most importantly, laws like these spur innovations in cybersecurity. Right now, we have a market failure. Because the courts have traditionally not held software manufacturers liable for vulnerabilities, and because consumers don't have the expertise to differentiate between a secure product and an insecure one, manufacturers have prioritized low prices, getting devices out on the market quickly and additional features over security.

But once a government steps in and imposes more stringent security regulations, companies have an incentive to meet those standards as quickly, cheaply and effectively as possible. This means more security innovation, because now there's a market for new ideas and new products. We've seen this pattern again and again in safety and security engineering, and we'll see it with the Internet of Things as well.

IoT devices are more dangerous than our traditional computers because they sense the world around us, and affect that world in a direct physical manner. Increasing the cybersecurity of these devices is paramount, and it's heartening to see both individual states and the European Union step in where the US federal government is abdicating responsibility. But we need more, and soon.

Mississippi Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 112123

Reported Deaths: 3223
CountyConfirmedDeaths
Hinds7796173
DeSoto670178
Harrison484483
Jackson435081
Rankin383786
Madison373993
Lee344979
Forrest296377
Jones283782
Washington252197
Lafayette242642
Lauderdale2376131
Lamar217138
Bolivar198377
Oktibbeha195854
Neshoba1814111
Lowndes174962
Panola166337
Leflore160787
Sunflower157649
Warren152755
Monroe145972
Pontotoc143819
Pike137256
Lincoln135555
Copiah135036
Marshall134826
Scott123829
Coahoma123436
Grenada120038
Yazoo119333
Simpson118649
Union115225
Holmes113560
Leake113340
Tate113239
Itawamba110424
Pearl River108958
Adams104343
Prentiss102619
Wayne98721
Alcorn96012
George93917
Marion92942
Covington92525
Tippah85921
Newton84427
Chickasaw82625
Winston82221
Tallahatchie81825
Tishomingo79341
Hancock78127
Attala77626
Clarke72349
Clay67621
Jasper67417
Walthall63327
Calhoun61412
Noxubee59617
Smith58316
Claiborne53216
Montgomery52923
Tunica52217
Lawrence49914
Yalobusha49314
Perry48122
Carroll46312
Greene45518
Stone45014
Amite41713
Quitman4146
Humphreys41216
Jefferson Davis39811
Webster36613
Wilkinson33020
Kemper32015
Benton3154
Sharkey27814
Jefferson27010
Franklin2373
Choctaw2036
Issaquena1063
Unassigned00

Alabama Coronavirus Cases

Confirmed Cases: 153016

Reported Deaths: 2633
CountyConfirmedDeaths
Jefferson22563372
Mobile14335314
Tuscaloosa10023133
Montgomery9759196
Madison904893
Shelby709960
Lee644966
Baldwin640569
Marshall428248
Calhoun412759
Etowah405749
Morgan396833
Houston364632
DeKalb319628
Elmore310752
St. Clair282142
Limestone270828
Walker268892
Talladega258435
Cullman227623
Lauderdale208740
Autauga201029
Jackson200915
Franklin199731
Colbert192228
Russell19053
Dallas185627
Blount184824
Chilton181731
Escambia171328
Coffee16669
Covington166029
Dale163451
Pike130512
Chambers130143
Tallapoosa128686
Clarke127117
Marion104729
Butler99840
Barbour9889
Marengo97221
Winston90413
Geneva8417
Pickens80517
Lawrence80031
Randolph79814
Bibb79114
Hale74529
Cherokee72214
Clay71912
Lowndes70127
Henry6376
Bullock63517
Monroe6319
Washington62212
Crenshaw59330
Perry5806
Wilcox55912
Conecuh55713
Fayette55312
Cleburne5287
Macon52820
Sumter46721
Lamar4565
Choctaw38712
Greene33916
Coosa1973
Out of AL00
Unassigned00
Tupelo
Clear
66° wxIcon
Hi: 86° Lo: 65°
Feels Like: 66°
Columbus
Broken Clouds
69° wxIcon
Hi: 85° Lo: 65°
Feels Like: 69°
Oxford
Clear
66° wxIcon
Hi: 84° Lo: 62°
Feels Like: 66°
Starkville
Scattered Clouds
63° wxIcon
Hi: 84° Lo: 62°
Feels Like: 63°
WTVA Radar
WTVA Temperatures
WTVA Severe Weather