With over 26 billion devices expected to form part of the Internet of Things (“IoT”) by as early as 2020, this ground-breaking concept, where the virtual world meets the physical world, has quickly gone from being an exciting possibility to an ever-present phenomenon.
The benefits of the IoT are multiple, from simplifying people’s lives through the use of IoT devices such as virtual assistants, to the possibility of designing entire ‘smart cities’ with a purpose to reducing waste and improving sustainability.
However, an increase in the number of interconnected devices simultaneously means an increase in cybersecurity related risks. Many smart devices currently sold to consumers lack even basic security features (for example, products having hardcoded pre-set passwords), consequently making them inadequate to ensure that cybersecurity risks are catered for.
In the realm of IoT any connected device lacking in security features will inevitably present huge risks to the whole IoT network, possibly even creating a risk to people’s lives if devices such as health trackers are jeopardized. Crimes of identity theft or fraud will also be facilitated as hackers are given easy access to highly sensitive data. On a bigger scale, the wider economy may also be impacted through possible distributed denial of services attacks such as the Mirai Botnet attack in October 2016.
A cry for regulation?
Whilst consumers cannot reasonably be expected to secure their own devices, the matter at hand cannot only be viewed as a commercial issue, but one which may have national security implications. Should regulators intervene to the extent that IoT devices are not sold unless they are designed with strong security features?
Whilst a recent study carried out by the UK Department for Digital, Culture, Media & Sport shows that 72% of consumers expect security features to be built into devices prior to being sold on the market, the truth is far from the current situation, with a clear disparity between what consumers think they are buying and what they are actually buying.
Seeing as the implications of a weakly secured IoT network will not only impact consumers, but societies and systems at large, how does one balance preserving a competitive and free, global market with ensuring that cybersecurity and security in all its forms does not take a backseat?
How is the world currently regulating IoT?
California will become the first state in the US to pass a cybersecurity law covering IoT devices. Titled, SB-327 Information privacy: connected devices, and set to come into effect in 2020, the law requires that devices that connect to the internet must be equipped with ‘reasonable security features’ that are designed to protect the device and any information contained therein from unauthorized access, destruction, modification or disclosure.
The legislation defines ‘reasonable security features’ explicitly and will effectively result in every IoT device sold in California coming with a password unique to that device, or a way to generate new authentication credentials before accessing it for the first time. The Bill, although applauded for taking a first step in the right direction has been widely criticized for being too vague and weak, capable of allowing manufacturers to leave security holes.
Another interesting Bill tabled at US Senate level is the Cyber Shield Act of 2017, which is intended for the Department of Commerce to create a voluntary grading system for IoT device security, likely resulting in a labelling system that would mark the level of cybersecurity of each IoT product.
Most recently, members of the US Senate introduced another Bill titled – the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, which will require agencies within the federal government and vendors providing internet connected devices to the government to directly communicate any cybersecurity risks associated with IoT devices.
The UK Government has recently launched a ‘Secure by Design’ voluntary code of practice (“CoP”) intended for IoT manufacturers and aimed at encouraging the same manufacturers to develop IoT devices designed with a baseline level of security.
The UK Government is also pushing for a security label scheme, which label will be granted on the basis of the three (3) main guidelines found under the CoP, mainly that:
- All IoT device passwords shall be unique and shall not be resettable to any universal factory default value.
- The manufacturer shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues.
- Manufacturers will explicitly state the minimum length of time for which the product will receive security update.
Whilst the framework is still under consultation, the aim of the UK government is that retailers will eventually only be able to sell products which adhere to such requirements, and which have obtained the security label, without stifling innovation.
The EU Cybersecurity Act (the “Act”), which came into force on the 27th of June 2019, caters for tailor-made certification schemes for specific categories of ICT products, processes and services.
Each scheme must specify the categories of products and services including cybersecurity requirements, the type of evaluation (for example, self-assessment) to be carried out, and finally, the intended level of assurance. On this last point, a certificate will refer to either of three different assurance levels outlined by the Act, reflecting the level of risk associated with the product, process or service at hand. The assurance levels can either be basic, substantial, or high, with high meaning that the product has passed the highest of security tests.
The use of certification schemes is as it stands voluntary. Future amendments to the Act may see the certification scheme evolve into a mandatory system, seeing how fast-paced the adoption of IoT networks is, this is not such an outlandish idea.
As things stand, Malta neither has cybersecurity laws nor does it foresee the implementation of national measures to implement a national certification scheme for IoT devices.
Whilst parallels may be drawn between the EU voluntary certification scheme and Malta’s Innovative Technology Arrangement and Services Act (ITASA), the latter has been designed with intention of creating a certification system for innovative technology arrangements such as Distributed Ledger Technology systems, and not to provide a specialised framework for cybersecurity and IoT devices, even if the definition of an innovative technology arrangement under ITASA may be expanded to possibly include IoT devices.
Moreover, Malta can look at other countries such as the US and take cross-sectoral initiative to introduce national cybersecurity certification schemes for IoT devices or at a minimum issue guidelines similar to what the Malta Financial Services Authority issued for operators within the Virtual Financial Assets Framework.
A balanced way forward
There are several issues at hand which need to be thoroughly considered when addressing the regulation of IoT devices in terms of cybersecurity.
If for instance one where to legislate on a national level, the fact that IoT products used within Malta are not actually manufactured in Malta may create a practical issue if Malta decides to regulate. This may be a common issue with other EU Member States.
To this end, the EU’s role in issuing guidance relating to the security of IoT devices and to eventually expand the current Cybersecurity Act will become even more crucial.
The implementation of mandatory security features in all IoT devices will possibly have a monetary impact and an impact on innovation, nevertheless, seeing as the ubiquitousness of IoT devices will increase and not diminish, the security of devices that form part of the IoT must become a sine qua non and not an afterthought.
Article written by Dr Bernice Saliba and Legal Trainee Mr Gigi Gatt.
For more information on Cybersecurity, DLTs, Blockchain and Cryptocurrencies please contact Dr Ian Gauci on email@example.com, Dr Terence Cassar on firstname.lastname@example.org and Dr Bernice Saliba on email@example.com
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.