SAN FRANCISCO—Computer security expert Bruce Schneier, who often is among the first to sound the klaxons when it comes to computer and Internet security problems, took the stage at the RSA Conference last month to add his voice to those of many people worried about the insecurities of the Internet of Things, and call for the government to intervene and regulate the field on behalf of consumers.
“Law and technology have to work together,” he told the crowd of more than 6,000 conference attendees halfway through his presentation. “This is the most important lesson from Edward Snowden. We always knew that technology could subvert law. What Snowden showed us is that law could subvert technology, and that both have to work together.”
Schneier, the chief technology officer of IBM Resilient and special adviser to IBM Security, said the United States needs “a new regulatory agency” to oversee computer security standards for IoT devices, 21 billion to 50 billion of which are expected to be in use 2020. He noted that many regulatory agencies, such as the Federal Communications Commission and the Nuclear Regulatory Commission, were formed to manage new technologies.
Schneier’s plea isn’t the first call by a security professional for systemic government regulation of technology security. At the moment, experts say, safety regulations on software and connected devices resemble a patchwork in progress.
One of those experts is Josh Corman, who, as director of the Cyber Statecraft Initiative at the Atlantic Council, works closely with government officials to develop IoT regulations designed to protect consumers while allowing manufacturers to innovate.
“On the battles I’ve been fighting, we’ve had unparalleled success,” Corman says, pointing to developments such as new Food and Drug Administration postmarket guidance on IoT devices, which the agency put together in less than a year, and the Department of Homeland Security’s set of strategic principles for securing IoT, which included guidance on how to publicly detail a software program’s open-source components.
Although early public efforts to improve IoT safety appear to be fruitful, not every federal official in the space agrees with Schneier’s notion that the United States needs a new regulatory agency.
“Some companies get better, but in aggregate, I’ve seen the industry get worse.” — Ted Harrington, Independent Security Evaluators
IoT security issues such as unpatched device software “will be solved by the market,” Allan Friedman, director of cybersecurity initiatives at the Department of Commerce’s National Telecommunications and Information Administration, said during a separate RSA presentation. “We just have to convince the market to do the right thing. You can’t have a liability regime, if you can’t tell people how to operate in the space.”
Friedman says he expects to see “preliminary” designs for IoT security labels to be placed on devices “by early summer.” And “by CES [in January], I’d like Consumer Reports to say which products are patching” security flaws on a regular basis.
The efficacy of regulatory mechanisms like product labeling or external listing depends on how they are implemented, says Ted Harrington, an executive partner at Independent Security Evaluators, a computer security research company that has been looking at IoT devices for more than a decade.
“We need not a pass/fail system, but to be able to articulate where a manufacturer is on a spectrum,” he says. Over the years, he says, “Some companies get better, but in aggregate, I’ve seen the industry get worse.”
Case in point: the Internet of Things botnet called Mirai that took down the Internet on the Eastern seaboard and in parts of Europe with hacked IoT webcams last fall.
Vulnerable, unpatched devices like the cameras used in Mirai “won’t be fixed” until there is consensus on how to regulate IoT, Corman says, leaving consumers exposed to harm as long as the devices are in mass use. “You can’t boil the ocean to fix IoT, but the lesson of Mirai kind of says you have to.”
One way or another, Schneier told the RSA crowd, the federal government will increase its involvement with the Internet of Things.
“Our choice here isn’t government involvement or no government involvement. Our choice is smarter government involvement, or stupider government involvement. And we have to start thinking about this now; otherwise, this will be imposed on us,” he said. “We need to make sure that the regulations that are coming don’t stifle innovation.”