The Insecurity of Things: a Brief History of US IoT Cybersecurity Legislation (Part 2)
Check out these national attempts to legislate IoT security.
Join the DZone community and get the full member experience.Join For Free
There's been a number of efforts over the last few years to legislate or provide a legal response to matters of cybersecurity. Part 1 of this article takes a look at recent efforts by California. This article examines the national attempts to legislate these poorly secured connected devices.
Security and Privacy in Your Car (SPY Car) Act (2017)
In 2015 and again in 2017, Senator Ed Markey introduced the Security and Privacy in Your Car (SPY Car) Act, legislation that would direct NHTSA and the Federal Trade Commission to establish federal standards to secure our cars and protect drivers’ privacy. The SPY Car Act also establishes a rating system — or “cyber dashboard”— that informs consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards. It further requires that every vehicle give “clear and conspicuous notice” to the driver about what driving data is being collected, if it’s being transmitted or saved, and how it’s being used.
Status: Read twice and referred to the Committee on Commerce, Science, and Transportation. No further action
The Internet of Things Cybersecurity Improvement Act (2017)
The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 was backed by the co-chairs of the Senate Cybersecurity Caucus — Democrat Mark R. Warner and Republican Cory Gardner, as well as Democrat Senator Ron Wyden and Republican Senator Steve Daine.
The bill would require a contractor providing an Internet-connected device to certify that it does not contain “any hardware, software, or firmware component with any known security vulnerabilities or defects” listed by the US National Institute of Standards and Technology’s National Vulnerability Data. Devices would have to be certified to be capable of “accepting properly authenticated and trusted updates from the vendor” and use “only non-depreciated industry-standard protocols and technologies” for functions such as network communications and encryption. Further, a contractor must certify that the device “does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication.”
Status: Read twice and referred to the Committee on Homeland Security and Governmental Affairs. No further action.
Cyber Shield Act of 2017 (2017)
Put forward by Congressman Ted W. Lieu and Senator Ed Markey, Cyber Shield Act of 2017 aims to create a voluntary program that would independently identify, verify, and label compliant Internet-of-Things (IoT) devices with strong cybersecurity standards. The program would help consumers make well-informed decisions related to cyber and data security. The bill establishes an advisory committee that will create cybersecurity benchmarks for IoT devices such as baby monitors, cameras, cell phones, laptops, and tablets. Companies manufacturing devices that meet the voluntary standards can then display their certification for consumers. It's certainly a great start, assuming that standards can be assessed and labeled as fast as technology advances.
Status: Referred to the Subcommittee on Digital Commerce and Consumer Protection. No further action.
FTC Case Against TrendNET
While not a law, the particulars of this case are interesting. The Federal Trade Commission (FTC) released a report into IoT privacy and security in early 2015 that detailed issues and a series of recommendations for companies developing IoT devices. These included the recommendation “that vendors monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.”
Several of these principles were embodied in the Commission’s first case involving an Internet-connected device. The FTC filed a complaint against security camera maker TrendNet for allegedly misrepresenting its software as “secure.” In its complaint, the Commission alleged, among other things, that the company transmitted user login credentials in clear text over the Internet, stored login credentials in clear text on users’ mobile devices, and failed to test consumers’ privacy settings to ensure that video feeds marked as “private” would, in fact, be private.
As a result of these alleged failures, hackers were able to access live feeds from consumers’ security cameras and conduct “unauthorized surveillance of infants sleeping in their cribs, young children playing, and adults engaging in typical daily activities. The complaint came after hackers breached TrendNet’s website and accessed videos from 700 users’ live-camera feeds — many of these videos were published on the Internet.
The case was settled with stipulations requiring the company to obtain third-party assessments of its security programs every two years for the next 20 years. TrendNet were also required to notify customers about the security issues with the cameras and the availability of the software update to correct them and to provide customers with free technical support for the next two years to assist them in updating or uninstalling their cameras.
Is Legislation, Education, or Self-Regulation the Answer?
It's clear that unless consumers buy cybersecurity protection with the ability to detect, prevent, patch, and repair any vulnerabilities that might appear, any cybersecurity efforts will degrade without vigilance from customers.
Even just cataloging all the connected devices in a single workplace could be a mammoth undertaking. Most people have no idea how many connected devices they own. Personally, I’m unconvinced a security minimum standards or rating system would work either, due to the sheer volume of connected devices emerging each year and the volatility of cyber security to new vulnerabilities.
Further, it's notable that efforts such as the Cyber Shield Act mention 'voluntary' involvement and we've little evidence that good labeling or ratings will compel all device manufacturers to act. I equate voluntary to self-regulation, and we've seen no impetus that the industry is responding to some kind of moral compass when it's come to cybersecurity efforts. Without regulation and consumer pressure to require companies to act, it is unlikely that technology companies will provide ‘term of life’ protection for consumers.
I believe it won't be until we see significant litigation in response to cybersecurity attacks that things will change for the better. For example, we're now seeing a class action against a hospital affected by disrupted medical services due to the WannaCry attacks of 2017, the first notable U.S. class-action lawsuit in response to a ransomware attack. At a recent BlackHat conference in Las Vegas, Ijay Palansky, who represented plaintiffs in the 2016 Jeep hack, suggests, a “wave of litigation over IoT liability is on the horizon,” assuming a class action is not prohibited as in the California legislation. The law is slow to move, but things could start getting interesting.
Opinions expressed by DZone contributors are their own.