New IoT Security Bill Exposes Rising Data Protection, Safety Concerns

Approximately 20 billion IoT-enabled devices will be connected by 2020. These items are fast, handle an increasingly large amount of personal and financial data and tend to be prone to cybercriminals’ attacks. A large-scale, IoT-based breach has yet to occur, but the seeds are already sprouting.

Thus, IoT security is becoming an essential part of modern conversations. Bad actors are eyeing weaknesses in these systems to launch attacks, according to Steve Bunnell, former general counsel for the U.S. Department of Homeland Security (DHS) and data security and privacy practice chair of D.C.-based law firm O’Melveny.

“Clearly there is an emerging threat created by having all of this stuff connected to the internet, which makes it vulnerable to cyberattacks [and] which can be directed to the device as a target or employ the device to attack others,” Bunnell noted in a recent interview with PYMNTS. “A lot of the devices we’re talking about have no security. They weren’t built with security in mind, and there really isn’t any way to patch them.”

The IoT security conversation is becoming more heated in the U.S. as these devices multiply in number, with the Internet of Things Cybersecurity Improvement Act of 2019 currently making the rounds in Washington, D.C. The bipartisan bill proposes several changes to how connected devices are treated, including general recommendations, standards and regulations for greater user protections. It also asks for “vulnerability disclosures” to curb weaknesses when IoT companies sell to federal agencies — a possible precursor to similar consumer safeguards.

IoT’s expansion presents security challenges

The new bill is an upgrade from one introduced in 2017, but the discussion has picked up in recent years. Concerns are growing over the security of the vast scale of devices becoming ever-more prevalent for both IoT developers and customers, Bunnell said.

“If someone can hack into your car, which has now become a computer on wheels, crash the car and kill you, that’s going to provide regulators, policy makers, a reason to try to do something [about it],” he explained. “I think we’re rapidly approaching a world in which [regulations are] going to start happening more regularly.”

Bunnell recalled a 2015 instance in which a benevolent hacker demonstrated the ease of gaining access to a connected car, something that may have been of mild concern when the technology was relatively nascent three years ago. It is now a key interest area for IoT creators, and malicious instances unfortunately seem “inevitable,” he said. Simply put, the conversation has changed.

Bills such as the IoT Improvement Act suggest security standards to help plug the gaps in connected cars, airplanes and consumer devices. This can be trickier than it sounds, however, even as regions like California introduce state-level protective legislation.

“It’s a hard thing to try and mandate,” Bunnell said. “One of the challenges is that a lot — if not most — of the manufacturing is done outside of the U.S. in places like China where our regulations are not going to have an impact. So, if you try and approach it as a regulatory issue, who are you going to go after? Where are you going to put the regulatory liability, on the retailer that’s selling the [smart] fridge or the car dealer who’s selling the car that has chips [made in China]?”

California’s legislation focuses on both retailers and the “people [who] make the things” for liability purposes, he added, but overseas creators still cannot be bound by an individual state’s regulations.

IoT security in a connected world

On a federal level, even deciding which devices count among the IoT-enabled can be a bit murky — another challenge when regulating the market. The 2017 IoT Cybersecurity Improvement Act’s definition of an IoT device could have applied to smartphones or any other hardware that uses the internet, for example. Deciding which are IoT devices and which are just internet-connected is “an important threshold question,” Bunnell said.

Both regulators and IoT creators will need to follow the answer carefully, however. The rising number of devices means data protection is becoming more prevalent among consumers when purchasing new electronics or products.

“There’s a general increasing concern around privacy, and the privacy implications of all the data aggregation that’s now possible,” Bunnell said, adding that he believes a federal response to this issue — increased privacy standards or otherwise — will be likely as time goes. “As consumers start to demand more privacy from companies … you will see companies promising certain types of privacy and security around data.”

It may not be certain which elements will be promised or enforced, but the IoT world’s growth necessitates both security and regulation. In fact, the former is now more than a want but a necessity as consumers and businesses share their data across increasingly global networks.