Could regulation be the best thing for IoT?

By Lloyd McCoy, Market Intelligence manager

A new year inspires a fresh look at various issues facing the IT industry and one of them is how the Internet of Things devices should be regulated.

There have been several relevant bills on the Hill since summer, but a recently introduced bill addresses perceived vulnerabilities in the security of IoT devices sold to the federal government. It also addresses the security of medical devices that connect to the Internet. IoT device manufacturers would also have responsibilities to ensure security over the life of the devices.

The counter-argument to this legislation is that disclosure and certification requirements could create additional liability for device manufacturers.

Using buying power to push the security agenda

The IoT Cybersecurity Improvement Act of 2017 was intended to leverage government procurement strength to manage the security of IoT devices purchased by the federal government. Among other considerations, the bill would have vendors of Internet-connected devices ensure that the devices can be patched for security updates and are free from any known security problems when they’re sold to the government. What’s more, vendors must configure devices with changeable usernames and passwords, to protect against potential attacks by malicious actors.

The White House Office of Management and Budget (OMB) has been given authority to develop network security requirements for devices with limited data processing and software functionality. Each executive agency would be required to maintain an inventory of all their IoT devices.

This makes sense. Right now, there is little guidance coming from the government on protecting IoT devices in the federal infrastructure.

In this case, the U.S. lags behind its European counterparts, which plan to introduce the so-called General Data Protection Regulation in May. That’s not to say the U.S. hasn’t done anything – the FTC did introduce IoT security parameters when white hat hackers demonstrated how easy it was to take over the controls of a Jeep in a 2015 demonstration.

Legislating parameters may not be enough

Of course, creating legislation is not the be-all, end-all to government IoT security. Bad actors are always coming up with new ways to get what they want, and enacting a law won’t keep them from doing their dirty work. That’s why a bill like the one currently proposed is better than establishing minimum standards based on today’s technology.

If vendors know the ball is in their court to keep up with IoT device security, it goes a long way to giving government IT professionals more peace of mind – especially if vendors know they won’t be able to sell their wares if they don’t pick up that responsibility.

However, some industry observers believe small startups could suffer most from these kinds of restrictions – meaning that costs for manufacturers and consumers alike might skyrocket, and technological advances may stall.

Companies don’t need regulations to stay ahead of IoT security problems, the argument goes. Industry needs to show that it’s policing itself, which would do away with the need for any government legislation or intervention.

So even though some legislation now might be important to shore up IoT security, the industry seems to be equally interested in having standards set by trade associations or other bodies, to prevent what they feel might be overweening controls by legislators down the road.

Striking a balance

So where are we now? The challenge facing the industry and government will be to strike a balance on how IoT regulation and enforcement can meet federal security goals while keeping pace with a rapidly developing and evolving technology.

By 2020, it’s estimated, there will be more than 20 billion connected devices in use, and a quarter of attacks will use IoT by then. Common sense suggests that these trends will require some form of broad regulation. That, in turn, is likely to spur even greater IoT investment in state, local and federal government, because baseline security controls give public sector IT professionals confidence in the storage and transmission of data from these devices.

The inevitability of legislation and regulation should create an incentive for vendors to wrap security around their products. Far from stifling technological innovation, it could, in fact, create lucrative new opportunities for security vendors.

This blog originally appeared on the Government InfoSec blog, which can be found in the IDG Contributor Network.

For more insight on what’s going on in the government IT market, subscribe to the Government Sales Insider blog.