In a recent hearing of two United States House subcommittees, veteran cybersecurity expert and Harvard lecturer Bruce Schneier made the claim that the U.S. government must pass overarching regulations mandating internet of things (IoT) security measures before device vulnerabilities start killing people. The hearing was held in large part due to recent cyber security attacks such as the Dyn DDoS attack in October of 2016.
While that statement is sure to invoke a reaction, the reality of the open standards vs regulation is a bit more complex. While regular readers of this blog know where we stand as outlined in our Principles, we would be remiss to not look at all sides, knowing that the true “answer” is likely somewhere in the middle.
Schneier’s point revolves around the fact that sellers and customers of IoT devices have little reason to fix the security issues within them without a push from the government.
An article from Computerworld covering the hearing condensed Schneier’s point as, “Many IoT devices are low-profit products with little security built in, no easy avenue to patch vulnerabilities, and no way for customers to know their devices are compromised, he and other experts said. And while users replace smartphones every 18 months, a compromised DVR may be used for five years, a car for 10, and a thermostat may be replaced approximately never. This leads to a market failure where regulation is needed.”
While the Republican majority Congress is not keen on regulation, it isn’t completely against some of Schneier’s points. They are however, cautious to avoid creating these regulations as a “knee-jerk reaction” to recent attacks, said Representative Greg Walden, an Oregon Republican. “The United States cannot regulate the world.” Many IoT devices are manufactured overseas, Walden noted, and U.S. regulations can’t mandate their security measures.
In addition, the committee argued, regulations have a way of stifling innovation – something we tend to agree with. Particularly as the IoT market grows, loss of innovation at any level could strangle progress. However, witnesses at the hearing pressed the U.S. government to find a common ground on regulations that the industry can adopt without suffering too much loss on innovation.
According to Kevin Fu, CEO of Virta Labs and a computer science professor at the University of Michigan, “IoT security remains ‘woefully inadequate’ even as security experts saw the problems coming. We are in this sorry and deteriorating state because there’s almost no cost for a manufacturer to deploy products with poor cybersecurity.”
This argument further demonstrates the need for research, work and effort into the open standards argument. While the side we fall on is clear, we also want to acknowledge and discuss arguments from all sides of this complex and vitally important issue.
Late in 2016, U.S. National Institute of Standards and Technology released updated guidance on securing IoT.
If you’re curious to learn more about our perspective on open standards, check out our infographics.