Simply stated, IoT, or “Internet of Things,” is a network of Internet-connected objects than can collect and exchange data. As the name suggests, there are two parts to IoT, the Internet and the “Thing” or connected device. A simple example is a home air conditioner that the user can control via an app or website to turn it on, turn it off, set the temperature, etc.
Many experts have described the Internet as the “Wild, wild, West,” which implies both a warning to users and a desire to regulate content. The advent of IoT has renewed concerns about cyber security, so much so that the United States Consumer Product Safety Commission (“CPSC”) has taken steps toward developing a framework for IoT regulation, and Congress is considering the SMART IoT Act, which, if passed, would direct the U.S. Commerce Department to conduct a comprehensive study of all aspects of the Internet-connected devices industry.
Why Regulation?
Gartner, a leading global research firm, estimates that there were 8.4 billion connected devices in use in 2017 and that there will be more than twice that number by 2020. With the increasing popularity and diversity of connected devices, safety and security considerations are hot topics of discussion among manufacturers, retailers, consumer groups and regulators.
Cyber Attacks. The increasing frequency of distributed denial-of-service attacks (“DDoS”) is the main reason for regulation. A DDoS is an attack in which multiple compromised computer systems attack a target, such as a server, website or network-connected devices, and cause a shut-down of the targeted resource. The largest DDoS attack targeted Dyn, a company that controls much of the Internet’s domain name system infrastructure. On October 21,2016, this attack brought down Twitter, the Guardian, Netflix, Reddit, CNN and many other sites in Europe and the US. Dyn estimated that the attack had involved 100,000 “infected” network computers acting in concert to bombard servers with traffic until the network collapsed under the strain.
The Dyn attack and others make it clear that Internet security depends on the security of millions of Internet-enabled devices that affect nearly every aspect of people’s lives like cars, appliances, thermostats, medical devices, and a host of other products. It takes little imagination to understand the potential for serious injury or death from a DDoS attack on a driverless car, or example, or a connected robotic surgical device.
Other Considerations. Often designed and sold by off-shore companies unfamiliar to consumers, the manufacturers of Internet-connected devices historically have had no incentive and/or expertise to address security, which often falls victim to production cost reductions. Further, many of these devices don’t get security updates like more expensive computers do and don’t have a way to be patched. To exacerbate the concern, the life expectancy of these devices, unlike computers and smartphones, is years or even decades.
Likewise, consumers tend not to think about security. For them, it’s more about connected device features and keeping up with the latest technology. They want a product like a thermostat, webcam or refrigerator with “cool” and “convenient features at a good price.
Recent Initiatives to Regulate IoT
CPSC. On May 16, 2018, the Consumer Product Safety Commission (“CPSC”) conducted a public hearing to consider commentary from interested parties about the Internet of Things and consumer product hazards. Speakers included representatives from the Cyber Security Coalition, the Organisation for Economic Co-operation and Development, the Consumer Federation, and the Retail Industry Leaders Association. Recommendations by participants included, the need for both voluntary industry standards and government regulation of connected devices, enhanced manufacturers’ use descriptions, better product training, automated product “shut down” capabilities, remediation mechanisms, and enhanced product liability laws.
According to the CPSC, collaboration with voluntary standards organizations should result in safety specifications for consumer products. The Commission hopes that the development of specifications will bring industry groups, government agencies, and consumer groups together to agree on best consumer product safety practices.
The Smart IoT Act & Internet of Things Cybersecurity Improvement Act. Introduced June 7, 2018, the Smart IoT Act (HB 6032) the Act is being considered by a few House of Representatives committees. The Act would empower the Secretary of Commerce to conduct a study of the IoT industry and prepare a report for Congress. The report would identify all sectors that manufacture, promote or use IoT devices, as well as any federal agencies that have authority over those industries, public-private partnerships that promote use and adoption of IoT devices, and international entities that have developed, or are in the process of developing, standards for Internet-connected devices, whether mandatory or voluntary. The Act also would require the government to maintain a list of all federal resources consumers can use to gauge the worthiness of Internet-connected devices.
Senators Warner and Gardner introduced the Internet of Things Cybersecurity Improvement Act in 2017. While this Act does mention security, it doesn’t necessarily benefit consumers. Vendors under the Senate bill would be required to meet cybersecurity standards only if they want to engage in government contracts associated with their devices.
Current Measures are Not Enough
Recent cyberattacks clearly have caught the attention of the Internet-connected device industry, users and Congress. The attacks have forced the industry to reexamine its approach to everything from the definition of “user” in the new business-to-business-to-consumer environment, to the design and marketing of such devices, to the need for safety and security in manufacturing and distribution. While the Smart IoT Act, the Internet of Things Cybersecurity Improvement Act, and the recent CPSC regulations constitute the government’s foray into IoT, without a mandate for cybersecurity standards, Legislators should consider and act upon the recommendations groups such as those that participated in the recent CPSC hearing calling for more government regulation of connected devices, enhanced manufacturers’ use descriptions, better product training, automated product “shut down” capabilities, remediation mechanisms and enhanced product liability laws.
References:
Hung, M. (2017). Leading the IoT: Gartner insights on how to lead in a connected world. Retrieved September 19, 2018, from www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf
Quora. (n.d.). What is the simple meaning of internet of things? Retrieved October 9, 2018, from www.quora.com/What-is-the-simple-meaning-of-Internet-of-Things
Schneier, B. (2016a). The government has to get involved in the ‘internet of things.’ Retrieved September 19, 2018, from www.washingtonpost.com/posteverything/wp/2016/11/03/your-wifi-connected-thermostat-can-take-down-the-whole-internet-we-need-new-regulations/?noredirect=on&utm_term=.e53f15286c21
TechTarget. (n.d.). Distributed denial of service (DDoS) attack. Retrieved October 9, 2018, from https://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack
United States Consumer Product Safety Commission. (2018a). Public hearing on the ‘internet of things and consume product hazards’ part 1 (video). Retrieved September 19, 2018, from www.cpsc.gov/Newsroom/Video/public-hearing-on-the-internet-of-things-and-consumer-product-hazards-part-1
United States Consumer Product Safety Commission. (2018b). Voluntary standards. Retrieved September 19, 2018 from www.cpsc.gov/Regulations-Laws--Standards/Voluntary-Standards/