Why An Incremental Approach May Be Key To IoT Security

Is California’s IoT Legislation A Step Too Far?

California’s recent IoT security law, mandating minimum security requirements for connected devices, attempts to thwart fraudsters and other bad actors. But while some security experts say the law goes too far, others claim it doesn’t do enough. In the latest IoT Tracker, Prasant Mohapatra, professor of computer science at UC Davis, discusses why incremental governmental oversight may be a better approach than sweeping legislation.

There are more than 10 billion IoT devices currently in use around the globe and 127 new ones connecting every second, giving fraudsters a massive target. Manufacturers have been researching and implementing more advanced security systems to protect their customers, while governments have been passing legislation to ensure those measures are up to snuff. But just how effective is all of this?

Providers may be integrating new security protocols, but not all methods are created equal, said Prasant Mohapatra, professor of computer science and vice chancellor for research at the University of California, Davis. These businesses must double down on security solutions and underlying authentication processes.

“What is a must is multifactor authentication,” he said, referring to systems that require two or more identity verification methods, such as a password and a code sent to users’ phones. “If we can tie at least one of the authentication methods to some kind of biometric feature, that will help a lot as well.”

Artificial intelligence (AI) and machine learning (ML) could also play major roles in device security, Mohapatra added. These types of technologies may work against the cybercriminals of today, but they could be ineffective against the fraudsters of tomorrow.

“Most of these devices will need to cooperate with other devices in the system,” Mohapatra explained. “That’s where there will be a lot of complexities and a lot of vulnerabilities. With device-to-device interaction, there has to be enough security implemented so you don’t leave any holes out there.”

Are Governments Equipped to Tackle IoT Security?

Many governments are passing IoT-related legislation to ensure that manufacturers are adhering to necessary security measures. SB-327 was passed last August in California, for example, requiring providers to equip IoT devices with reasonable security features. Each password-accessible unit must be given its own unique password under the ruling, or users must be required to set their own upon activation.

Security experts argue that the bill doesn’t go far enough, as it does not address removing unsecure features that introduce security loopholes. Mohapatra is more optimistic, arguing that even incremental improvements will force developers to implement their own security systems.

“Most IoT devices are … used by people who … may not have adequate technical expertise to handle [them],” he explained. “People using home security systems will not be technically aware of the security loopholes. So, we need policies to safeguard common people.”

Despite his support for bills like SB-327, Mohapatra urges caution when trying to legislate such a rapidly growing field.

“This is kind of a new territory, so I would like to take more cautious steps moving ahead. As technology matures further, there might be better ways to handle [security],” he said.

Mohapatra explained that this sort of discretion should have been applied in San Francisco, the first major U.S. city to ban all governmental use of facial recognition technology.

“This law is not about … facial recognition, it’s about trust,” he said. “People are concerned that the government may use [biometric data] for a purpose that [they] are not willing to give up their privacy for.”

Privacy advocates have argued that the law doesn’t go far enough, as it still allows private corporations to utilize facial recognition technology for data collection. Mohapatra believes taking the rule further would limit innovation.

“[That would] hinder a lot of expansions and use for this wonderful technology,” he explained. “From a personal viewpoint, I would like to have no restrictions. If we can figure out a way that facial recognition [can be] used only for the purpose for which it was originally intended – authentication – that would be the best situation.”

He also advocates for a largely hands-off approach when it comes to government regulation.

“I think [security solutions] will be more driven by individual citizens, and [by] the corporate world,” Mohapatra said. “If we leave security and privacy to be derived from the research world – both from industry as well as academia – we will [find] a better solution.”

What’s Next for IoT?

Mohapatra sees a bright future for the world of IoT, despite his concerns about security vulnerabilities and governmental overreach.

“My biggest hope is that we will have IoT everywhere,” he said. “There will be a parallel world where devices are interconnected and intercommunicating, and they’re achieving various tasks without much interference from humans. They’ll [improve] quality of life in all [aspects], including food, health, energy, the environment and any other societal needs.”

This dream does not come without risks, however.

“When we have millions of these devices, like human beings, there will be good guys and bad guys,” Mohapatra said. “How do we detect that? Managing that complex infrastructure will be a big challenge.”

Governmental regulations like those in California and San Francisco might be a stopgap, but long-term, incremental changes might be the key to IoT’s success.