Last week, President Joe Biden signed an executive order specifically designed to improve America’s cybersecurity efforts. Whether it was sparked by the recent ransomware attack on the Colonial Pipeline or any number of previous, harmful attacks on both public and private assets, the order is as badly needed as it is long overdue.
When the first electrically powered appliances began to make their way into our homes more than a century ago, many caught fire and burned down houses due to a lack of federal safety electrical standards. The historical reference is relevant to the current lack of security standards we are seeing in today’s Internet of Things market, which is the network of intelligent physical objects — or “things” — that are embedded with sensors, software and other technologies for the purpose of connecting and exchanging data via the internet. The most common IoT products consumers are familiar with include voice assistants, smart home lighting and security cameras. But rather than sparking a literal fire, the lack of IoT security standards exposes consumers and their property to other serious forms of harm.
A Security Problem of Our Own Making
Most consumers falsely assume security comes pre-baked into the IoT products available for purchase, but that is not necessarily the case. While industry alliances and government agencies have published various guidelines and cybersecurity standards establishing minimum-level security, the stark reality is that many IoT device makers and vendors have not adopted or implemented any of them. This is why we hear horror stories about smart appliances, medical devices and baby monitoring cameras being hacked, with people’s privacy invaded and data stolen. The IoT industry’s failure to self-regulate on security at scale essentially forced government regulators to step in to protect end users. With researchers estimating that 40.8 percent of smart homes have at least one device vulnerable to attacks, this is a serious situation needing urgent attention.
Legislation in the Works
In 2020, the United States passed the Internet of Things Cybersecurity Improvement Act of 2020, the first U.S. federal law to directly address IoT security. The act requires federal agencies to procure only devices meeting minimum cybersecurity standards and establishes a vulnerability reporting and notification program. Sen. Ed Markey (D-Mass.) and Rep. Ted Lieu (D-Calif.) also reintroduced the Cyber Shield Act this year, which would create a voluntary system to certify cybersecurity protections for IoT devices. The act would create a federal advisory committee with members from government, industry, and academia to set cybersecurity IoT benchmarks.
Technology legislation is by no means easy to sift through for a layperson, but as new technology regulations evolve in the coming months, it’s crucial that both industry and consumers understand the most important considerations of IoT security for future legislation:
(1) Secure Upon Arrival: Arguably one of the most important things that needs to change in IoT security is the need for government to make it mandatory for IoT product manufacturers to build products that are secure-by-default. New IoT products should operate out of the box with security features enabled. This also means that once the consumer adds a new IoT device to their network, the device should not require any further configuration to be used securely.
(2) Secure Operations of Manufacturer: Technology manufacturers need to embrace a set of security practices within their own operations to ensure the products that they make are actually secure. For example, if a manufacturer is continuously experiencing internal security breaches due to negligent or compromised network security or a lack of security management processes, it’s fair to say its own product security may not be up to security standards.
(3) Threat Modeling Research Required: IoT device makers also need to understand the threats and risks around how products will be developed, produced and used by customers, which entails research to understand how the product will be used, what kind of data it will process and, most importantly, who would potentially want to compromise the data. Once companies understand who the most likely hackers are, products can be designed to thwart those attackers.
(4) Mandated Breach Preparation: Companies must demonstrate that they have effective means to respond to cybersecurity incidents. They must have both an operational security incident response process designed to address incidents impacting their operations as well as a product security incident response process built to help customers address security incidents impacting purchased products and services.
(5) Lifetime Security Upgrades: Companies developing products with long lifetimes must demonstrate that for the duration of the expected life of a product, they have the capabilities to securely update and upgrade the security of the product to keep up with new and emerging threats.
(6) Supply Chain Security Integrity: Companies must demonstrate that they can effectively manage risks and cybersecurity impacting their entire supply chain. Regular accountability checks must be performed monitor security standard compliance over time and as threats grow and change.
Crafting commonsense IoT security legislation is not a simple task, but it is achievable and must be done. Biden’s executive order is encouraging and validates the cybersecurity approach many companies in the industry are already taking to secure the IoT. This isn’t our nation’s first time tackling complex legislation around safety product policies for household electronics, and it won’t be our last. I am optimistic that if the industry collectively shares best practices, security technology professionals can help legislators draft regulations that keep consumers’ data secure while enabling IoT technology to continue to thrive in our day to day lives.
Sharon Hagi is chief security officer at Silicon Labs, where he is responsible for overseeing the company’s comprehensive cybersecurity strategies and best practices for delivering advanced security technologies.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.