The wildfire growth of IoT is arguably the most important trend happening in technology today, but the ease with which bad actors can exploit its manifold security vulnerabilities has been demonstrated many times in just the past couple of years.
Despite the generally laissez-faire stance the U.S. takes toward regulating technology companies, the severity of the threat – IoT security issues affect healthcare, infrastructure, transportation and many other crucial parts of society – has some calling for regulation of the IoT.
Regulations lag the technology
Given the speed at which technology, particularly around IoT, develops these days, from drawing board to prototype to production, plenty of people would argue that it’s impossible for a regulatory regime to keep pace.
According to James Waldo, a professor at Harvard’s Paulson School of Engineering and Applied Sciences and that department’s CTO, there’s little hope for a set of regulations that evolves along with the technology.
“The timescale by which regulation and legislation works is immensely different than the timescale that technology development works on,” he said. “The regulators tend to be reactive, and reactive to things that happened four or five years ago.”
That being the case, the simplest way to address many of the most grievous harms that insecure IoT systems can inflict is at a basic engineering level – it’s not unreasonable to expect devices produced today not to have unchangeable default passwords, nor to require them to be changed from the default by consumers once activated.
Nevertheless, current culture in the technology sector – including many of the brand-new entrants that are part of the IoT market, which is projected to reach 45.4 billion Internet-connectable devices by 2021, according to IHS Markit – is to get products out the door and into customers’ hands as quickly as possible.
This, of course, requires corners to be cut, and security is inevitably one of the first of those corners. Norman Sadeh, a professor of computer science at Carnegie Mellon University, said that the problem could well be exacerbated by the influx of new companies in the connected device market.
“IoT devices … aren’t just going to come from sophisticated vendors, but might also be developed by two guys in a garage,” he said. A couple of sensors, an Arduino or Raspberry Pi, and an IoT gadget is born.
The FTC is pushing for IoT regulations
The U.S. has historically been hesitant to impose regulatory rules on businesses, particularly in the technology sector – witness the recent decisions rolling back the application of common carrier rules to ISPs – which means it’s likely that any attempt to regulate IoT technology will be done with a soft touch.