27 September 2023

The price of security: Why we need stronger laws for the Internet of Things

Start the conversation

Bruce Schneier* says new laws should provide a monetary incentive for companies to invest in the cybersecurity measures needed to keep their products secure.


Photo: Andres Urena

Due to ever-evolving technological advances, manufacturers are connecting consumer goods — from toys to lightbulbs to major appliances — to the internet at breakneck speeds.

This is the Internet of Things (IoT), and it’s a security nightmare.

The IoT fuses products with communications technology to make daily life more effortless.

Think Amazon’s Alexa, which not only answers questions and plays music, but also allows you to control your home’s lights and thermostat.

Or the current generation of implanted pacemakers, which can both receive commands and send information to doctors over the internet.

But like nearly all innovation, there are risks involved.

And for products borne of the IoT, this means the risk of having personal information stolen or devices being overtaken and controlled remotely.

For devices that affect the world in a direct physical manner — cars, pacemakers, thermostats — the risks include loss of life and property.

By developing more advanced security features and building them into these products, hacks can be avoided.

The problem is that there is no monetary incentive for companies to invest in the cybersecurity measures needed to keep their products secure.

Consumers will buy products without proper security features, unaware that their information is vulnerable.

It falls upon lawmakers to create laws that protect consumers.

While the US Government is largely absent in this area of consumer protection, the State of California has recently stepped in and started regulating IoT devices sold in that State — and the effects will soon be felt worldwide.

California’s new SB 327 Law, which will take effect in January 2020, requires all “connected devices” to have a “reasonable security feature.”

The good news is that the term “connected devices” is broadly defined to include just about everything connected to the internet.

The not-so-good news is that “reasonable security” remains defined such that companies trying to avoid compliance can argue that the law is unenforceable.

The legislation requires that security features must be able to protect the device and the information on it from a variety of threats and be appropriate to both the nature of the device and the information it collects.

California’s Attorney-General will interpret the law and define the specifics, which will surely be the subject of much lobbying by tech companies.

There’s just one specific in the law that’s not subject to interpretation: default passwords are not allowed.

This is a good thing; they are a terrible security practice.

But it’s just one of dozens of awful “security” measures commonly found in IoT devices.

Though the legislation covers only the State of California, its effects will reach much further.

All of us are likely to benefit because of the way software is written and sold.

Automobile manufacturers sell their cars worldwide, but they are customised for local markets.

The car you buy in the US is different from the same model sold in Australia, because the local environmental laws are not the same and manufacturers optimise engines based on where the product will be sold.

But software is different.

Once California forces minimum security standards on IoT devices, manufacturers will have to rewrite their software to comply.

At that point, it won’t make sense to have two versions: one for California and another for everywhere else.

It’s much easier to maintain the single, more secure version and sell it everywhere.

The European Union’s General Data Protection Regulation (GDPR) is another example of a law that extends well beyond physical borders.

This is because it is tricky to differentiate between users who are subject to the protections of the GDPR — people physically in the European Union, and EU citizens wherever they are — and those who are not.

It’s easier to extend the protection to everyone.

Once this kind of sorting is possible, companies will, in all likelihood, return to their profitable surveillance capitalism practices on those who are still fair game.

Surveillance is still the primary business model of the internet, and companies want to spy on us and our activities as much as they can, so they can sell us more things and monetise what they know about our behaviour.

Insecurity is profitable only if you can get away with it worldwide.

Once you can’t, you might as well make a virtue out of necessity.

So, everyone will benefit from the Californian regulation, as they would from similar security regulations enacted in any market around the world large enough to matter.

Most importantly, laws like these spur innovations in cybersecurity.

Right now, we have a market failure.

Because the courts have traditionally not held software manufacturers liable for vulnerabilities, and because consumers don’t have the expertise to differentiate between a secure product and an insecure one, manufacturers have prioritised low prices, getting devices out on the market quickly and additional features over security.

But once a government steps in and imposes more stringent security regulations, companies have an incentive to meet those standards as quickly, cheaply and effectively as possible.

IoT devices are more dangerous than our traditional computers because they sense the world around us, and affect that world in a direct physical manner.

Increasing the cybersecurity of these devices is paramount, and it’s heartening to see both individual States and the European Union step in where other governments are abdicating responsibility.

But we need more, and soon.

* Bruce Schneier is a security technologist and Chief Technology Officer of IBM Resilient. He tweets at @schneierblog and blogs at schneier.com.

This article first appeared at edition.cnn.com.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.