Despite the Challenges Ahead, It Falls on Government to Adopt a Three-Pronged Strategy to Improve IoT Security

Regulatory measures are highly prone to coordination problems. This is why we can apply the principal-agent problem to understand the complexity of IoT security regulation. The principal-agent problem occurs when one person or entity, an “agent,” (e.g. the government) is able to make decisions that impact another person or entity: the "principal" (e.g. device manufacturer). This dilemma exists in circumstances where agents are motivated to act in their own best interests in ways that are contrary to the interests of their principals. IoT Security Regulation provides us with multiple instances of how the misalignment of interests identified by the principal-agent problem is exacerbated by the fast-changing nature of IoT technologies. Regulation of IoT and the alignment of government and vendor interests is increasingly difficult because of (1) the speed at which innovation in cyber threat makes government regulation ineffective, (2) the secondary effect of companies becoming inactive because of uncertainty about the effectiveness of government regulation, and (3) the resultant slowdown in technological adoption and the further slowing of the action of regulators. This vicious cycle, defined by uncertainty and inaction, only adds to the doubt and apprehension caused by the global effects of national and regional regulation. Article 3 of the EU’s GDPR states that if an entity collects personal data or behavioral information from consumers located in an EU country, the entity is subject to its requirements. As demonstrated by the GDPR’s current and future effects on US companies, governments now need to assess whether data and IoT security regulations are necessary in order to manage the contagion effects of regulation defined outside a given jurisdiction.

Why did IoT security become a more pressing issue for governments in 2018?

The GDPR became enforceable: There are three ways in which the introduction of the GDPR has made various stakeholders, including government and IoT vendors, reassess the future of IoT regulation. Firstly, it highlighted the various ways in which the new EU privacy model differs from its US counterpart. The most important difference regards the breadth of the law in the EU. The definition of data breach, and by implication, assumed IoT security risk, is much more expansive in the EU. Secondly, what makes GDPR so relevant to IoT is that it sets policy in 28 separate countries and applies not only to entities that are based in those countries and have customers within them. GDPR is a truly global regulation. A law of that scope holds useful lessons for regulating the complicated, international supply chain of IoT devices and internal supply chain of devices between states in the US. Thirdly, US multinationals seemed to underestimate the extent to which the GDPR affects their daily operations. Going forward, US multinationals cannot make minor modifications to their US privacy incident-response policies or merely assign this responsibility to their US response teams. They are required to rethink how their operations in Europe align with their global management of risk.

California passed the first IoT security bill in the United States: As it has done with the issues of online privacy and restoring net neutrality, California became the first state to act to secure the IoT. The bill, SB-327, is the first of its kind to make it a legal requirement for a manufacturer of a device that connects “directly or indirectly” to the internet to equip it with “reasonable” security features. These features should be designed to prevent unauthorized access, modification, or information disclosure. Yet, SB-327 is cursory and incomplete. The foremost criticisms of the bill are that it is vague (the definition of “reasonable” security features will inevitably change very quickly) and that it seeks to add “security features” rather than remove “insecure features.” The addition of security features will achieve little if existing security vulnerabilities are not resolved. Various measures, including the removal of listening ports and cross-site/injection issues in web management, will go a long way in correcting longstanding insecurities in IoT devices.

While the lawmakers behind the GDPR seem to have considered its future impact on IoT vendors outside the European Union, SB-327 falls short of addressing how the global IoT supply chain affects device security in California. For instance, there is no legal requirement for vendors to run security audits on firmware in low-level components bought from overseas suppliers.

Opportunity structures in IoT markets changed: IoT vendors are not averse to IoT security or data privacy regulation. However, they have been more focused on establishing a network of connected devices, working on platform services, and developing their main value propositions before investing in expensive and disruptive security services. Nevertheless, given the very public backlash to the purported use of tampered hardware in Chinese-originated devices and the growing consumer awareness of IoT security that inspired California's new SB-327 law, vendors may now sense a unique opportunity. Once a government steps in and imposes more stringent security regulations, companies have an incentive to meet those standards as quickly, cheaply, and effectively as possible. Insecurity is profitable only if you can get away with it. Once you cannot, you might as well make a virtue out of necessity. By working with governments, vendors can demonstrate that they will comply with future security standards. The time is ripe for them to benefit from current public distrust of Chinese vendors. Alternatively, they can continue to temporarily profit from insecure devices at the cost of playing catch up with future government regulation.

ABI Research recommends a three-pronged strategy for governments wishing to improve the security of the IoT:

Leverage existing and future purchasing power: Recent controversies over the US Department of Defense’s (DoD) management of a procurement process which would see the chosen vendor receive a cloud services contract valued as much as US$10 billion highlights the capacity of government to affect existing IoT security standards. The project, known as the Joint Enterprise Defense Infrastructure (JEDI) cloud, involves transitioning massive amounts of DoD data to a commercially operated cloud system. The “winner-take-all” contract at stake captures the trade-off which governments must confront as they invest in cloud services. On the one hand, the DoD can contain security risk to the IoT supply chain of a single vendor, with AWS likely to obtain this contract. Making multiple awards under current U.S. acquisition would be an arduous and slow process that could prevent the DoD from delivering new technological capabilities and effectiveness that enterprise-level cloud computing can enable.

Yet, by investing in a single cloud vendor, the DoD would achieve little in the way of ensuring that additional vendors comply with existing and future data and IoT security regulations. Microsoft and Oracle, who have both criticized the bidding process for the JEDI contract, would agree that the government should leverage their purchasing power in multi-cloud markets; only then can it ensure that multiple vendors and a greater share of IoT and cloud markets meet government defined regulatory standards.

Ensure that government’s role as IoT end user, infrastructure provider, and regulator align: As demonstrated by the U.S. DoD’s dilemma, there is a tension between governments’ various responsibilities as they relate to IoT. As an infrastructure provider, governments aim to further technological development in order to create new value and new public goods. Yet, as regulators, governments have a duty to protect the public from the known and unknown risks and uses of new technologies. The government’s foremost tools in striking this balance between innovation and security involve its purchasing power (as end user) and its ongoing definition of regulatory standards. However, as infrastructure providers and overseers of public services deploying IoT technologies, governments can reduce function creep. Function creep—where a product is used in unanticipated ways—can introduce critical security flaws exacerbated by a lack of purpose-built tools. Governments can play a pivotal role in limiting function creep and reducing the likelihood of security vulnerabilities by managing the use of stable IoT devices and infrastructure across public services.

Offer an industry standard and legally binding definition of “security by design”: There still remains some confusion as to how this popular yet changing concept translates into actionable principles. One of the principal criticisms of SB-327 is that its vague and rigid conception of “security by design” will result in a slight static improvement that will quickly be undercut by the changing change tactics of cyber attackers. By the same count, a flexible conception of “security by design” can be said to suffer from definitional ambiguity. The principle’s mainstays are (1) crypto-agility and continual lifecycle management, (2) code signing, and (3) scalability as it pertains to the ongoing management of all versions of a device through its lifecycle. Yet, these mainstays are likely to change as cyber threats evolve. Ultimately, given the nature and constant metamorphosis of cyber risks, optimal and permanent IoT security standards will continue to evade government. However, this should not stop governments from providing working standards across verticals, managing the contagion effects of regulation defined abroad, and acting as the convener in an environment that currently resembles the prisoner’s dilemma.