Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Lawmakers and regulators should continue to oversee data security issues of web-connected devices even as internet of things technology outpaces their efforts, cybersecurity researchers and industry insiders told Bloomberg BNA.
Manufacturers race to get their newly designed internet of things (IoT) devices to market quicker than their competitors. The aim of the IoT industry, which Cisco Systems Inc. Executive Chairman John Chambers told Bloomberg News may be worth $19 trillion, is to be the first to market and at the lowest price. But sometimes, the race to market comes at a cost to consumer privacy and security, cybersecurity professionals said.
In the face of that conflict, there is hope that the industry will police itself, although traditional government oversight may still prove necessary, they said. Some say the states may have a strong consumer security protection role to play. But others aren’t so sure.
IoT device-developers and manufacturers usually “act in their own self-interest, which will not be adequate security,” Bruce Schneier, adjunct lecturer at the Harvard John. F. Kennedy School of Government and a Berkman Klein Center for Internet and Society fellow, said at the recent RSA Security Conference. Although IoT laws or regulations may not be the end-all-be-all and could harm innovation, there needs to be something on the books to rein in corporate interests, he said.
Tatu Ylonen, CEO and founder of SSH Communications Security, told Bloomberg BNA that answers may also come from the industry itself—if the federal government or states fail to act. When the “first attack causes $30 billion of lost shareholder value,” then you’ll see a flurry of action, he said. But, for that first company, it’s “game over,” he said.
Others, however, don’t think federal laws and regulations, along with state actions, will be a panacea.
Christopher Pogue, chief information security officer at Nuix North America Inc., told Bloomberg BNA that he was far less optimistic that the federal government and states can effectively regulate IoT device security concerns. Legislation and regulation won’t help stop nefarious actors from breaking the law or avoiding federal or state rules, he said. Speeding is illegal but, “we still speed,” he said.
Even if all stakeholders agree that increased government oversight is needed to temper security concerns of the rapidly-evolving IoT industry, states may not provide the solution, some say.
Christopher Novak, director of research, investigations, solutions and knowledge at Verizon Communications Inc., told Bloomberg BNA that efforts to pass data breach notification laws, on state or federal levels, offer a cautionary tale for those who favor sweeping legislation in the IoT sector. For example, California enacted the first-in-the-nation data breach notification statute in 2002. Now, 47 states and the District of Columbia have breach-notice laws. But a national law has never taken off, even with support from former-FTC Chairman Edith Ramirez and former-President Barack Obama.
IoT regulation is “basically a newborn baby,” Novak said. Much like how data breach legislation has progressed, “we’ve still got to see a decade of growing up in a real impactful way before we’re going to see it regulated or legislated,” he said.
If all else fails, companies and consumers need be able to rely on the government for oversight into disruptive technologies, Phil Quade, chief information security officer at Fortinet Inc., told Bloomberg BNA. “The tool of regulation is a tool of last resort for the government,” Quade, a former National Security Agency special assistant for cyber and chief of its cyber task force, said.
States, not the federal government, will lead the charge, Quade said. “I don’t expect at the national level people will compel or regulate connectivity standards for IoT,” he said. It’s going to come down to pressure from industry and consumers using “using their power of the purse to influence,” he said.
Ted Harrington, executive partner at cybersecurity research company Independent Security Evaluators LLC, said that because of the increased risk that comes with IoT devices, at some point there will be a need for laws and “regulation from a security perspective,” Harrington said. “Whether or it not It’s effective, I would be skeptical,” Harrington said at the RSA Security Conference in San Francisco.
Schneier agreed that laws and regulations are needed, even tough an intelligent, adaptive and malicious adversary will move faster than regulators and the law, he said. “This is a bigger problem than us, but we need to figure out how to create law when technology changes things so quickly,” he said.
To contact the reporter on this story: Joyce E. Cutler in San Francisco at JCutler@bna.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)