As the desire to stay constantly connected with friends and family in cyberspace slowly transcends every other basic human need, human beings are also developing such attachments with their electronic gadgets. To ensure that we are always connected to our precious devices, manufacturers are connecting consumer goods to the internet at breakneck speeds. Such gadgets and devices encompass the Internet of Things (IoT), not just connected with us but also with each other – transferring data and information constantly. However, if there is one aspect of IoT that outright scares consumers and cybersecurity experts – is their inherent lack of security.
Securing IoT devices is a tricky business, and the notion is often neglected by manufacturers to reduce the cost of the device itself. Moreover, the millions of operational IOT devices provide an equal number of unsecured access points for hackers to break into the system. Recently, the notion of Artificial Intelligence (AI) shaping the IOT architecture has called for added security concerns – as these systems can be manipulated to work against the people who implemented them in the first place. It’s imperative that governments pass cybersecurity laws that govern the security protocols mandatory in IoT devices. Although this can raise their prices, it can help secure the IoT infrastructure in the long run.
The state of California in the United States has spearheaded the introduction of IoT related laws and regulation, effective only to IoT devices sold in the state. The new SB 327 law, effective from January 2020, required all “connected devices” to have a “reasonable security feature”. While the broadly defined “connected devices” term includes just about everything connected to the internet, “reasonable security feature” was defined such that companies trying to avoid compliance can argue that the law is unenforceable.
In broad terms, the legislation requires that the device and the information it carries be protected by security features that are appropriate to both the nature of the device and the information it collects. One specific point in the law mandates that default passwords are not allowed, which is a great measure as they are terrible security practices. However, tech companies have already started lobbying for the law to be interpreted in a lax way – which will give them the freedom to circumvent minimum security standards.
Nonetheless, requiring to meet the minimum security standards is not just beneficial to California, but also the rest of the world. It would be easier for manufacturers to release just one product with updated security measures, rather than one with enhanced security in California, and one with no security features for the rest of the world. If you have noticed an increase in websites that force you to acknowledge that you’ve read and agreed to the website’s privacy policies, it’s because of the implementation of the European General Data Protection Regulation (GDPR). Although the laws are only implemented in EU, an entire global audience has to agree to its norms as the websites are inherently for a global audience. It’s easier to extend the protection to everyone.
While the SB 327 law is a start, it’s just a needle in a haystack that’s required to effectively secure millions of unsecured IOT devices. However, the law may provide as a stepping stone for other U.S. states and EU to pass their own indigenous legislature. If an IOT device follows security protocol in any part of the globe, it would also do so worldwide.