Precise agriculture, monitoring water use, remote medicine – these are just some of the developments enabled due to the expanding use of Internet of things (IoT) devices. There is no doubt that IoT devices can improve our lives. At the same time, however, the growing use of IoT devices raises security, privacy, and trust concerns, as well as the need for establishing privacy and security standards for IoT devices.
In the last couple of years, standard-setting organisations, such as the International Standards Organisation (ISO), the European Telecommunications Standards Institute (ETSI), and the US National Institute of Standards and Technology (NIST), issued various voluntary IoT security standards. Yet, today, more measures are expected from governments around the world to deal with the issue. The need to regulate and define IoT standards might apply financial pressures on the thriving IoT industry. Governments, therefore, are trying to figure out a way to deal with the IoT industry in the matter.
In Finland, for example, a public-private partnership was created between the National Cyber Security Centre Finland (NCSC-FI) and a group of private companies which led to the creation of a cybersecurity label for IoT products so that consumers would know what devices to purchase, while the UK government published a Code of Practice for Consumer Internet of Things Security. However, change has not been quick enough. Thus, the UK government decided to create a more binding legislation to ensure stronger security is built into consumer IoT products, and it is currently wrapping up a public consultation process on the topic. In Singapore, the Cyber Security Agency of Singapore created the Cybersecurity Labeling Scheme (CLS) which provides cybersecurity rating levels so that consumers can choose products based on their security ratings. To encourage manufacturers to apply for the label, the agency waived the application fees for the CLS for a year.
Finally, the most recent example of governmental regulation took place in the USA when the Internet of Things Cybersecurity Improvement bill was enacted last week. According to this bipartisan legislation: (1) the National Institute of Standards and Technology (NIST) will publish standards and guidelines on the use and management of IoT devices by the federal government, including minimum information security requirements; (2) the Office of Management and Budget (OMB) will review federal government information security policies and make any necessary changes to ensure they are consistent with NIST’s recommendations; (3) both NIST and OMB will have to update IoT security standards, guidelines, and policies at least every five years; (4) federal agencies will not be able to use IoT devices that do not comply with these security requirements; (5) NIST will be asked to publish guidelines for reporting security vulnerabilities relating to federal-agency information systems, including IoT devices; (6) the OMB will be in charge of developing and implementing policies that are necessary to address security vulnerabilities relating to federal-agency information systems, including IoT devices, consistent with NIST’s published guidelines; and (7) contractors providing IoT devices to the US government will have to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
In a nutshell, according to this legislation, NIST will be in charge of defining IoT standards for the federal government, and companies that wish to work with the government will have to comply with these standards. The decision to task NIST with these responsibilities is not surprising. Over the last couple of years, NIST has issued various guidelines and projects about IoT standards, such as Securing Small Business and Home Internet of Things (IoT) Devices, Securing the Industrial Internet of Things, and Foundational Cybersecurity Activities for IoT Device Manufacturers. Furthermore, the institution was recognised by the industry, as well as civil society orgnisations, as the professional entity that needs to address these issues.
However, it is notable that the US approach is different from the above-mentioned steps taken by other governments. First, instead of working directly with the manufacturers of IoT devices, this approach offers incentives to companies that wish to work with the federal government, thus leaving them with the choice of how to conduct their businesses. Second, this legislation focuses only on IoT devices owned or controlled by the federal government and not on IoT for consumers which also constitute a source of privacy and security concerns. So, it remains to be seen whether this legislation will have a ripple effect, or even lead to a change in security and privacy standards for consumer IoT devices in the USA.
Dr Efrat Daskal is a research fellow at the Federmann Cyber Security Research Center – Cyber Law Program at the Hebrew University of Jerusalem (Israel).