From the report: The large and diverse number of IoT vendors, who are driven by competition to keep prices low, hinders coordinated efforts to build security by design into the IoT on a voluntary basis. Left unchecked, the growing IoT widens the gap between the ideal investment from the commercial point of view and from society’s view.
That’s not nearly as strident as the sentiment expressed by most industry experts who understand that most IoT device makers look at security only as an afterthought. It’s been demonstrated repeatedly that almost every IoT device on the market can be hacked, often quite easily. There are exceptions, but a large percentage of devices have little or no defense against hacking.
The Department of Homeland Security is also looking at IoT and issued a set of guidelines they want to the industry to adopt. DHS believes that unprotected IoT devices are a national security threat. We now saw good evidence of this last month after massive denial of service attacks were launched from security cameras and home appliances. The DHS guidelines suggest some common sense requirements like allowing devices to have unique passwords and allowing IoT devices to receive needed software updates.
The Federal Trade Commission is also looking at IoT security issues. The agency recently announced a $25,000 prize to anybody who could offer a security solution for dealing with outdated software in IoT devices.
The Department of Commerce also recently issued IoT guidelines, but the guidelines seem to be aimed internally at the agency and not at the wider world.
This all raises the question of who should be regulating IoT? Right now the answer is nobody – there is no agency that has clear jurisdiction to impose any requirements on the IoT industry. And that is because such authority can only be granted by Congress. We’ve seen this same thing happen many times in the last fifty years as new technologies spring into existence that don’t fit neatly into any existing jurisdictional bucket.
The closest process we have to what is needed to regulate at least part of the IoT today is the way the FCC certifies new wireless and other telecom devices. Most people don’t realize it, but all phones and many other kinds of telecom gear undergo vigorous testing at the FCC to make the sure the devices do what they say they do and to make sure that they won’t interfere with the rest of the world. We need a similar process to tst and certify IoT devices because we can’t ever just take the IoT manufacturers’ words that their devices meet and standards that are developed.
But the FCC today has zero authority to regulate the IoT. For now they have created the ability to regulate ISPs through Title II regulations – but that is expected to be reversed or watered down soon. But even that authority doesn’t give them any jurisdiction over the IoT. Like many technologies, the IoT is something new that doesn’t fit into any existing regulatory framework.
It’s not really comforting, but there are a bunch of other new industries with the same situation. There is no agency that has any clear regulatory authority over driverless cars. Nobody has any real authority to regulate artificial intelligence. There are only very minimal regulations for gene-splicing.
I think most of us believe that some level of regulation is good for these big society-changing technologies. Certainly if nobody regulates the IoT we will have disaster after disaster from misuse of the technology. I hope we don’t wait too long to tackle this until it’s too late and there are billions of poorly manufactured IoT devices in the world that can’t be fixed.