While a new California law is poised to impose strict security standards on Internet of Things (IoT) devices, many security professionals see the legislation as, at best, a first step in mitigating a looming crisis in IoT security.
"This legislation is sort of a case in point for how something that seems like an obviously good idea is much more nuanced in how it affects security," says Milos Prvulovic, a computer science professor at the Georgia Institute of Technology (Georgia Tech).
The impetus behind the law is the widespread knowledge that hundreds of thousands of IoT devices currently tethered to the Internet across the globe are woefully undersecured.
In too many cases, individual manufacturers have shipped hundreds or thousands of those devices with the exact same password preinstalled, and while purchasers can change that password, many do not, making hacker penetration of the technology child's play.
Security professionals worry organized hacker crime rings, or some nation-states, will be able to easily penetrate poorly secured IoT devices and networks to bring down public utilities, including the nation's electrical grid.
"IoT security has the potential impact to disrupt the operations of industries handling part the nation's critical infrastructure," says Ruggero Contu, a senior director analyst at market research firm Gartner. "This can have disastrous consequences."
The potential result of hacker meddling with healthcare and automotive IoT devices could be similarly as dire, with the possibility of causing real injury or even death, Contu says.
Adds Nisarg Desai, director of product management for IoT Solutions at identity and security services company Global Sign, "Smart cities could be compromised, disabling entire communities."
California's new law, effective January 2020, tries to get a handle on the vulnerability of IoT devices—at least those within that state—by mandating each new IoT device sold in California must be preloaded with its own, unique password, or require the consumer to generate a unique password before the device can operate.
The law also requires manufacturers to equip IoT devices with reasonable security features appropriate to the nature of the device and the information it collects.
"The lack of basic security features on Internet-connected devices undermines the privacy and security of California's consumers, and allows hackers to turn everyday consumer electronics against us," says California State Senator Hannah-Beth Jackson (D-Santa Barbara), who sponsored the bill that becomes law in 2020. Jackson said the new law will ensure "that technology serves the people of California, and that security is not an afterthought but rather a key component of the design process."
Some critics say California did not go nearly far enough. The new law contains no language requiring manufacturers or consumers to upgrade poorly secured IoT devices that are already connected to the Internet, or those that will be connected before the law takes effect.
In addition, the law does not anticipate future IoT security technologies. "It needs to be defined broadly enough to include ways of secure log-in that we have not thought of yet," says Georgia Tech's Prvulovic.
Moreover, other critics doubt that any law regulating manufacturers can truly secure the IoT. "The reality is that true device security is a combination of technologies, processes and best practices," says Scott Nelson, vice president of product, Digi International, a provider of IoT products and services.
Joshua Belk, co-founder of OPSEC360, an IoT security solution provider, is even more dismissive. "California got it wrong," Belk says. "Industry professionals do not require further regulation and oversight to build security into their products. Security measures are good for business, but the implementation of these protocols vary greatly," he says.
Belk says regulating standards for IoT security"creates conditions which devalue security and innovation and can provide a roadmap for exploitation. I think we hurt the industry and consumers by limiting ourselves with mandatory security settings or protocols.
"Instead, I believe security standards are naturally emerging to meet consumer needs and while that may seem riskier, in fact it is a better approach to identifying true secure needs and mitigations."
Adds Alexandra Deschamps-Sonsino, lead for London, U.K.-based Open I.O.T Mark, "Just shaking a legal stick at them (manufacturers) won't encourage good behavior. It will just panic manufacturers and trigger them to move to other countries."
Still other IT security professionals believe securing the IoT is best managed via a concerted effort of industry and government working together to create standards.
"The best way to solve IoT vulnerabilities isn't strict legislation, but rather for the government to partner with the industry in creating and adopting strong IoT security standards," says Randy Vander, executive director of the Secure Technology Alliance, a digital security industry association that aims "to stimulate understanding, adoption and widespread application of connected digital solutions based on secure chip and other technologies and systems needed to protect data, enable secure authentication and facilitate commerce.."
Says Vander, "Industry-driven standards would be expected go past improving password security and emphasize built-in device security." Rather than legislating standards, Vander adds, "Working together would put the industry on a faster trajectory towards adopting better IoT security while limiting the need for more regulation."
On the other hand, says Global Sign's Desai, "Addressing the issue on a national level may encourage other countries to also establish security measures that protect device identity and device communication on a global scale."
There's yet another incentive for industry/government cooperation on new laws or standards. Says Syed Ali, expert vice president and a leader of the Information Technology practice of management consulting firm Bain and Co., "Mid-sized and large businesses are willing to buy substantially more IoT devices—specifically, 74% more I.O.T. devices above and beyond existing plans for 2020—if their concerns about security risks were addressed." That data came from a study on IoT security that Bain released in June 2018.
Even so, companies and governments working together to create standards and/or legislation for to secure the IoT have their work cut out for them. Says Prvulovic, "Legislation that carefully defines who is liable should something bad happen in a way that discourages poorly secured devise from being sold and/or bought might improve security."
However, he adds, "But it would also probably make the device more expensive and have other ripple effects. It is a very complex problem, and even the seemingly simple and obvious solutions have downsides."
Joe Dysart is an Internet speaker and business consultant based in Manhattan, NY, USA.