Public policy and the Internet of Things

Over the past few years, the security of the Internet of Things (IoT) has been a consistent focus in policy circles around the world. It’s easy to understand why: The Internet of Things is where the lines between physical and virtual blur and the potential for cyber-attack could result not only in compromising the confidentiality, integrity, or availability of data, but also potentially in causing physical harm. On top of that, the incredibly rapid adoption of Internet of Things technologies means an explosion in potential attack surface.

Connected technologies are now pervasive in every walk of life, from healthcare to transportation and everything in between. WannaCry and NotPetya revealed how devastating cyber-attacks can be to the physical world—both creating dramatic loss of healthcare and other critical services around the world and costing millions or even billions in damages. Neither attack directly targeted IoT technologies, but both impacted physical systems with catastrophic effects, highlighting to policymakers the need to get ahead of the IoT threat before these systems become a more deliberate target for attackers.

Many of the policy discussions revolve around two primary concepts:

  • Driving adoption of secure-by-design practices among manufacturers of IoT technologies. This means identifying core security practices that can be built into the development and maintenance of the IoT system to reduce risk. These practices are either mandated or incentivized in some way, depending on the policy proposal and regulatory environment of the jurisdiction.
  • Creating transparency and understanding for technology users/consumers. Again, this varies by proposal, but the consistent goal is to create more informed technology buyers who will actively seek information on security and factor it into their purchasing decisions. The common themes in this area are testing and certification, labeling, and “bill of materials,” where manufacturers provide buyers with a full list of components (even the various software components) and possibly also any known security issues associated with them.

While these themes recur throughout IoT policy discussions, the specifics vary, in part because of the discrete regulatory environments of each jurisdiction, but also because of the vast range of technologies available and the audiences impacted. For example, the requirements and oversight around connected technologies used in the oil and gas industry will vary greatly to those relating to personal fitness monitors. As a result, increasingly regulatory discussions are breaking IoT into categories or audiences in order to make the requirements more fit for purpose. For example, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, introduced by the U.S. Congress, focuses on regulating the security requirements for IoT technologies purchased by the U.S. government, while the U.K. government has put out a proposal for enhancing the security for consumer-centric IoT.

Many regulators that deal with specific sectors that are embracing connected technologies are also looking at sector-specific regulation or guidance—for example, the pre- and post-market guidances for connected medical devices introduced by the United States Food and Drug Administration, or the United Nations Economic Commission for Europe (UNECE) WP. 29, which lays out a framework for vehicular cybersecurity.

Rapid7’s involvement

As much as possible, Rapid7’s IoT experts and policy advocates are collaborating with other IoT security champions across the community to participate in policy discussions and try to shape more positive outcomes. You can read about our participation in IoT policy discussions on the Rapid7 Public Policy page, and check out the written testimony and video of our U.S. public policy lead, Harley Geiger, testifying to Congress on IoT security. Also, check out the Rapid7 blog to learn about our view of non-regulatory frameworks for IoT security, and our position on various U.S. legislative proposals and developments, such as the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, the security research exemption for consumer technology in the Digital Millennium Copyright Act (DMCA), and the Cyber Shield Act.

In general, Rapid7 takes a cautious approach to regulation—no one benefits from an overly burdensome regulatory environment that cripples innovation and competition. Similarly, requirements to comply with multiple, fragmented, or varying sets of requirements or controls in different jurisdictions will likely paralyze businesses.

That said, we are not seeing adoption of security best practices for IoT technologies quickly or broadly enough in proportion to the security risks, and cybersecurity information shared with buyers is often at best, confusing, and at worst, misleading. Buyers are either insufficiently empowered or informed to demand cybersecurity assurances and mitigations from their vendors. This is particularly problematic in sectors relating to critical infrastructure or where there is a greater potential for cyber-attacks to cause widespread or severe harm.

As such, we believe that some regulation encouraging the adoption of baseline secure-by-design measures is warranted. This is particularly true in sectors that are already highly regulated because of their role as critical infrastructure or their potential to cause physical or economic harm at scale. Policies to encourage better IoT security can take many forms, and will vary by legal system and sector. For example, Rapid7 has suggested that U.S. federal agencies issue coordinated expectations regarding IoT security issues within their realms of jurisdiction, as the FDA has done with medical devices. Another approach, underway in the U.K., is to issue a broad-based requirement for consumer devices generally.

Developing the right policy approach

From Rapid7’s perspective, different approaches could work, but the keys are that the requirements be as consistent as possible across geographies and industry sectors, measurable and enforceable to ensure meaningful adoption, and flexible enough to enable innovation and accommodate the broad diversity of IoT deployments.

When it comes to IoT regulation or policy, there are a few elements that we particularly support:

  • Up-to-date, actionable, and data-backed security controls. When creating regulation for technology, it’s hard to find the line between being so prescriptive that the regulation quickly becomes obsolete, and being too vague to be actionable. Some regulatory proposals get round this by pointing to ISOs or other standards or frameworks that will likely be updated more frequently or quickly than legislation. Two such frameworks are the NIST IoT Device Cybersecurity Capability Core Baseline (NISTIR 8259A) and the European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645, which seems to be providing a basis for many IoT policy discussions around the world.
  • Context-aware and relevant. What is necessary for one class of technology or user might very well be totally inappropriate for another. For example, bill of materials is currently being trialed in the medical device sector in the U.S. where large healthcare providers want full visibility into the devices they are deploying in their hospitals, but that degree of visibility would be utterly overwhelming for your average consumer buyer looking for a new fitness band. IoT security legislation should take into account the specific threat profile, context and nature of usage, and complexity of the technologies being regulated.
  • Consistent and aligned. As mentioned earlier in this post, there are numerous efforts to create frameworks or regulation for IoT security around the world and in every sector. Where possible, efforts should be made to create a standard baseline in approach and expectation that carries across jurisdictions and sectors and reduces complexity for those being regulated. This need is balanced against the need above to make legislation relevant to the specific level of risk and complexity associated with the technology, and often the way it is being addressed is through reliance on frameworks (as detailed in the first bullet) that are developed and adopted internationally.
  • Vulnerability handling. The process for making technology is complicated and certain to yield unexpected issues or bugs. Manufacturers need to recognize this and provide a path for vulnerabilities to be disclosed and triaged. We also believe that verified vulnerabilities resulting in reasonable risk should always be disclosed and patched. As part of this, we also champion legal aircover for legitimate, good-faith, independent security research.
  • Transparency for IoT purchasers. Whether it’s certification, labeling, or bill of materials, we recognize that there is a great deal of complexity involved and reasonable concerns around how information could be verified, kept up-to-date, and communicated in an actionable format. Despite this, we believe that IoT purchasers and consumers in any sector benefit from being more informed about cybersecurity in general and whether the IoT devices they intend to purchase have a basic level of security present. This transparency can better enable market forces to hold vendors to a greater degree of accountability for security, including rewarding those vendors that adopt appropriate security best practices.

Rapid7 will continue to engage in discussions around IoT policy and regulation, pushing for the above elements and hoping to help create more positive outcomes that avoid unintended negative consequences. To help you keep up with these efforts, we will update the IoT section on Rapid7’s public policy page.

How can you get involved?

If you are interested in IoT cybersecurity, check out this absolutely fantastic site that maps the various government and industry frameworks being proposed or adopted around the world: https://iotsecuritymapping.uk/. Hat tip to David Rogers and the team at Copper Horse, who created and maintain the site and have been very active in discussions around IoT policy in the U.K. and Europe.

The U.K. government is currently seeking responses to its consumer IoT security legislative proposal. Check out its Call for Views and send in your comments before the Sept. 6 deadline.

For those interested in the security of IoT technologies that impact cyber-safety, you may want to check out I Am The Cavalry, a grassroots volunteer organization that connects those with security knowledge with policymakers, manufacturers, and buyers to create better security outcomes in four key areas: medical, transportation, connected home, and infrastructure.