Web Device Tech Demands Consumer Security Oversight

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Joyce E. Cutler

Lawmakers and regulators should continue to oversee data security issues of web-connected devices even as internet of things technology outpaces their efforts, cybersecurity researchers and industry insiders told Bloomberg BNA.

Manufacturers race to get their newly designed internet of things (IoT) devices to market quicker than their competitors. The aim of the IoT industry, which Cisco Systems Inc. Executive Chairman John Chambers told Bloomberg News may be worth $19 trillion, is to be the first to market and at the lowest price. But sometimes, the race to market comes at a cost to consumer privacy and security, cybersecurity professionals said.

In the face of that conflict, there is hope that the industry will police itself, although traditional government oversight may still prove necessary, they said. Some say the states may have a strong consumer security protection role to play. But others aren’t so sure.

IoT device-developers and manufacturers usually “act in their own self-interest, which will not be adequate security,” Bruce Schneier, adjunct lecturer at the Harvard John. F. Kennedy School of Government and a Berkman Klein Center for Internet and Society fellow, said at the recent RSA Security Conference. Although IoT laws or regulations may not be the end-all-be-all and could harm innovation, there needs to be something on the books to rein in corporate interests, he said.

Tatu Ylonen, CEO and founder of SSH Communications Security, told Bloomberg BNA that answers may also come from the industry itself—if the federal government or states fail to act. When the “first attack causes $30 billion of lost shareholder value,” then you’ll see a flurry of action, he said. But, for that first company, it’s “game over,” he said.

Others, however, don’t think federal laws and regulations, along with state actions, will be a panacea.

Christopher Pogue, chief information security officer at Nuix North America Inc., told Bloomberg BNA that he was far less optimistic that the federal government and states can effectively regulate IoT device security concerns. Legislation and regulation won’t help stop nefarious actors from breaking the law or avoiding federal or state rules, he said. Speeding is illegal but, “we still speed,” he said.

California Dreaming?

Even if all stakeholders agree that increased government oversight is needed to temper security concerns of the rapidly-evolving IoT industry, states may not provide the solution, some say.

Christopher Novak, director of research, investigations, solutions and knowledge at Verizon Communications Inc., told Bloomberg BNA that efforts to pass data breach notification laws, on state or federal levels, offer a cautionary tale for those who favor sweeping legislation in the IoT sector. For example, California enacted the first-in-the-nation data breach notification statute in 2002. Now, 47 states and the District of Columbia have breach-notice laws. But a national law has never taken off, even with support from former-FTC Chairman Edith Ramirez and former-President Barack Obama.

IoT regulation is “basically a newborn baby,” Novak said. Much like how data breach legislation has progressed, “we’ve still got to see a decade of growing up in a real impactful way before we’re going to see it regulated or legislated,” he said.

Last Resort

If all else fails, companies and consumers need be able to rely on the government for oversight into disruptive technologies, Phil Quade, chief information security officer at Fortinet Inc., told Bloomberg BNA. “The tool of regulation is a tool of last resort for the government,” Quade, a former National Security Agency special assistant for cyber and chief of its cyber task force, said.

States, not the federal government, will lead the charge, Quade said. “I don’t expect at the national level people will compel or regulate connectivity standards for IoT,” he said. It’s going to come down to pressure from industry and consumers using “using their power of the purse to influence,” he said.

Ted Harrington, executive partner at cybersecurity research company Independent Security Evaluators LLC, said that because of the increased risk that comes with IoT devices, at some point there will be a need for laws and “regulation from a security perspective,” Harrington said. “Whether or it not It’s effective, I would be skeptical,” Harrington said at the RSA Security Conference in San Francisco.

Schneier agreed that laws and regulations are needed, even tough an intelligent, adaptive and malicious adversary will move faster than regulators and the law, he said. “This is a bigger problem than us, but we need to figure out how to create law when technology changes things so quickly,” he said.

To contact the reporter on this story: Joyce E. Cutler in San Francisco at JCutler@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security