By Sudhakar Ramakrishna, CEO, Pulse Secure
After years of undisclosed breaches, stolen identities and negligent data handling, Europe’s General Data Protection Regulation (GDPR) is forcing companies to get serious about data privacy. Lawsuits against Google and Facebook were filed the day GDPR went into effect, and it appears the law’s teeth will soon be tested with Irish Data Protection Commission’s investigation into the recent Facebook breach, which impacted roughly 50 million users, of which three million were European, making it subject to GDPR fines.
Despite the regulatory inroads of GDPR, until a few weeks ago when California Governor Jerry Brown signed the nation’s first-ever IoT security bill into law, we’ve had no specific regulation for the relentlessly growing and critically insecure IoT.
The State of California’s SB: 327 - Information privacy: connected devices law, applies to manufacturers of devices or those who have a device manufactured on its behalf for sale in California. It does not, however, apply to devices purchased for resale, even if they are privately labeled, and some legal experts feel “the law is ambiguous in many respects, and will likely create significant challenges in its implementation and effectiveness.” While the California law is certainly a trailblazing first step, it been widely criticized by security experts. Since it won’t go into effect until 2020, we’ll just have to wait and see.
GDPR does regulate the use of personal data as it pertains to the IoT it still doesn’t call the problem by its name. For example, GDPR will hold you accountable for your security vulnerabilities, third parties and personal data handling assets to make sure that they are also GDPR compliant. That will include IoT devices, but those specific concerns will be diluted among a mix of other security considerations.
Early on, IoT hacks were initially limited to high profile demonstrations of car and pacemaker hacks, until the Mirai bot proved IoT devices were susceptible to wide-scale hacking. With IDC predicting there will be 200 billion connected devices in use by 2020, IoT development shows no signs of slowing down.
With that being the case, we need to act with a sense of urgency when it comes to addressing IoT-specific risk vectors, vulnerabilities and data privacy issues. Few laws that have the kind of weight and clarity that GDPR provides for the safeguarding of personal data – why not apply that to the IoT realm?
One of the main reasons is the highly distributed, global nature of IOT supply chains. Unless national regulators can make foreign manufacturers do what they say, regulation on IoT security will be hard to achieve. Many IoT devices are manufactured in countries prized for their low regulatory barriers, allowing retailers to bring in the cheap smart devices that consumers and small business crave.
It’s a big problem that will take cooperation on a global scale, but as Bruce Schneier outlines in his recent book on the state of IoT security, it’s not impossible to achieve. In addition to California, Britain and France seem to be approaching IoT security strategically. FCC has been studying ways to implement “Security by Design” across the IoT supply chain from as far back as 2013.
What makes GDPR so relevant to IoT is that it sets policy in 28 separate countries and applies not only to entities that are based in those countries and have customers within them, making GDPR a truly global regulation. A law of that scope holds useful lessons for regulating the complicated, international supply chain of IoT devices.
Because its unlikely lawmakers will catch up to the pace of innovation in the near term, it behooves the private sector and/or the cyber security industry to establish a commercial IoT security testing standard and share best practices for IoT risk mitigation.
For example, ISCA Labs, an ISO-accredited, independent, third-party tester has published an IoT testing framework, and NIST is actively spearheading IoT cybersecurity. Enterprises are applying new technologies and security automation to set and enforce policies for IoT device use to mitigate the risk of malware proliferation, network exposure, and sensitive data leakage. It is also imperative that consumers and enterprises understand IoT security threats and safeguards.
On October 8, Google announced a set of data privacy measures and that it was shutting down Google+ due to an undisclosed “exposure” of the data of 500,000 Google + users that occurred in March (making it exempt from GDPR fines). While it’s currently unclear if any information was compromised, it’s still a PR hit for Google.
Unfortunately, the constant onslaught of breaches has been one of the best catalysts of regulation. Perhaps the Google and Facebook incidents can serve as teachable moments that can rally lawmakers to ramp up their efforts to stem the tide of IoT risks before it’s too late.
The clock is ticking….