[From the last episode: We looked at Amazon Key and the various pros and cons associated with such a product.]
We’ve been talking a lot about securityRefers to whether or not IoT devices or data are protected from unauthorized viewers., but that discussion has been about security technology and how it works. And we’ve blithely said that security is important and good. File that last bit under “D” for “Duh…”.
What we haven’t talked about is government policy. Why bring government into the picture? Because governments possess the power of enforcement that industry doesn’t have, with the exception of civil lawsuits. (And, clearly, anyone can bring a civil lawsuit about anything if they can find a lawyer willing to take the case.)
So, rather than civil actions, we’re talking criminal actions, which the state takes on our behalf. Or, to use the dreaded “R” word, “regulation.” Regulation gets a bad rap from industry, but not as much as you might think. Yeah, if you’re making your living by spamming phones, you’re not going to be happy with laws intended to stop you from doing that.
Regulating Security: Pro and Con
But let’s take security as a really good example. Let’s say you’re a well-meaning IoT-gadget maker, and you want to do the right thing. You want to build in good security, which is going to cost a bit more and perhaps add some hassle factor (like setting a new password). That might not be a big deal, except for the fact that there may be other, less well-meaning players that can use the lack of security as an advantage. They can say that their devices are cheaper and easier to use (without advertising that they’re also vulnerable to hackingThis can mean a couple things. A quick-and-dirty (but not elegant) trick to get something done is a hack. A computer security break-in is also a hack (because inelegant tricks are used to break in). It can be a noun or a verb ("he hacked my computer").).
So now you, as the good guy, are at a competitive disadvantage – especially if your customer base doesn’t understand the nuances of security. The no-security guy could simply say, “Oh, they’re just trying to scare you into paying more. This is just a bunch of security companies trying to get you to buy their product when you might not actually need to.” You’re average Joe or Jane on the street, with no technology background (and you haven’t been following this website): whom do you believe? I’ve had plenty of conversations that convince me that lots of people will overlook all kinds of things so that they can brag that they saved $2.99 on something. Why not here too?
If you’re the “good guy,” you’d like to see some regulation, because then there’s a minimum standard that everyone, not just the “good guys,” need to meet. Yes, the price goes up for everyone a bit, but, in this case, you’re getting something for that money: better protection from hackersA misused, but common term for an unauthorized person trying to break into a device or network. Originally, in this context, "hackers" referred to the good guys (or "white hats"), while "crackers" were the bad guys (black hats)..
What About Standards Instead of Regulation?
Industries create standardsA way of doing something specific that has been agreed by multiple parties in an official manner. Some "standards" aren't official standards; the best ones have been established in an open fashion, where anyone with an interest can contribute and where large companies can't push little companies around. all the time for how to do things, as we’ve seen. There are safety standards for anything that might affect you or your family, put together by different organizations like Underwriters Laboratories. Problem is, there are no such solid standards for IoTThe Internet of Things. A broad term covering many different applications where "things" are interconnected through the internet. security – it’s moving too quickly.
But, even if there were such standards, there would be no requirement for a manufacturer to design to those standards. That’s where regulation comes in.
The next question is who should do the regulating. Is it state by state? Companies hate that – they have to keep track of different requirements from each state They prefer national – or even global – regulations so that they can sell one product everywhere.
But sometimes the Feds take too long to do anything. Especially these days, where pretty much nothing of value is getting done. So what then? Well, that’s where states take over. California was the first (as is often the case), and Oregon has followed suit. The laws are very similar, with the Oregon one following the basic ideas of the California one.
This is good – two laws that are more or less the same. But how do you regulate something as dynamic as security? Attacks and defenses change constantly. And there is a huge range of IoT devices – some small and cheap, some large and expensive. And everything in between. The security features you find on a smart refrigerator might not be appropriate for a door lock. How to regulate that?
Lets Be Reasonable
Well, both states have opted for the word “reasonable” to describe the kind of security that they are requiring. And, of course, the first question out of anyone’s mouth is, “What is meant by reasonable?”
I listened to some of the testimony given for the Oregon law, and the legitimate concern of device makers is that no company will know what’s “reasonable” until the Attorney General’s office takes them to court and a judge decides – probably years after the device was designed. That could be a huge risk for a manufacturer – especially given monetary penalties. On the other hand, if you mention specific technologies, the law will go out of date in no time.
So the laws go a little further in trying to spell out what that means, and, for the most part, it means at the very least that:
- Devices must be shipped with individual passwords per device, or
- There must be a way for the user to “generate a new means of authenticationThis is the act of proving to some other entity that you are truly who you are representing yourself to be. That is, you're not pretending to be someone else. "You," of course, means a computer or IoT device or any other entity trying to make a network connection with another computer or device. before access is granted to the device for the first time.” In other words, some setup when registering your device.
That’s pretty limited in scope. But, if security standards come together, it would also be really helpful for a manufacturer to be able to say, “When we designed this, we followed what the best practicesA term referring to ways of doing things (business, technology, etc.) that an industry generally views as the best way to do things. Best practices take time to establish, and they usually relate to basic principles, leaving lots of options on how to do specific things. of the day were.” That “when we designed this” part is important: it wouldn’t be fair to charge a company under this law for not following, say, year 2025 standards on a device designed in year 2020. But even if they meet the password/authentication requirement, a company would probably still be vulnerable if they’re not following best practices at the time of design.
Yes, It May Be the Courts
In the end, courts may end up deciding the meaning of “reasonable.” It’s tough for a slow-moving process like lawmaking to keep up with a fast-paced industry like technology, so this appears to be the middle ground that they came up with.
We’ll see if it helps.
Leave a Reply