The Internet of Things and The Difficulty In Regulating Emerging Technologies
From window blinds to locks, the total number of consumer and industrial devices capable of collecting, transmitting and receiving data through the Internet continues to grow. Indeed, the installed base of connected devices in 2015 was estimated at 15.41 billion worldwide and is expected to reach almost 76 billion devices by 2025. This increased digitalization of everyday and commercial items is known as the Internet of Things (IoT).
While IoT devices can result in more efficient processes, smarter decision making, and more autonomy, both in business and in our personal lives, they also pose significant privacy and security risks. As the number of IoT devices increases, so too does the amount of personal and corporate information that exists and is shared online. And by connecting a greater diversity of devices to networks, the number of vulnerable portals through which criminals can access this information, or take control of a connected device also increases.
Not surprisingly, IoT devices have become attractive targets for cybercriminals. Symantec, a well-known Internet security company, reports that the number of attacks on IoT devices increased from about 6,000 in 2016 to 50,000 in 2017—a 600% increase in just one year. What makes these devices so attractive are their often poor or non-existent built-in security, their use of hard-coded default credentials that do not require a user to create a unique user name or password, their poor network segmentation, which can allow direct access to or control of connected devices and their internal networks, and the inclusion of unneeded functionality based on generic hardware or software development processes.
Given the rapid growth and the broad impact of IoT devices, state and federal governments have been slow to respond to the privacy and security threats posed by them. Enter California—the first state to pass an IoT security bill. Drafted in response to various high-profile attacks on IoT devices, and signed into law on September 28, 2018, Senate Bill 327 (the “California IoT Bill”) is simple: it requires only that manufacturers A) equip IoT devices sold in California with a “reasonable security feature or features” appropriate to the nature and function of the device and the information it collects or transmits, and B) include on each device capable of non-network authentication a unique preprogrammed password that users must change before being able to access the device for the first time.
The California IoT bill highlights the difficulty in regulating a rapidly changing digital world. Because of the speed with which technology is evolving and new threats are arising, regulators no longer have time to study a specific issue and develop appropriate and comprehensive regulatory frameworks to protect citizens while ensuring business and innovation flourish. Rather, in the face of such rapidly advancing technology, regulators are challenged to understand what it is they are regulating, and then rapidly create legislation that protects users, while remaining flexible enough to accommodate developing technologies and promote innovation.
Some commentators have thus praised the simplicity of the California IoT Bill and its use of a “reasonable” standard as allowing flexibility in determining what standards are reasonable for different industries or products, while implicitly acknowledging that those standards may change as IoT technology and its associated risks continue to evolve. Others, however, have criticized the bill as an example of regulators not understanding what it is they are regulating. They argue the bill is too vague to be effective, does not address the real threats (such as the inclusion of unnecessary and insecure features and poor network segmentation), and will simply result in manufacturers adding unnecessary security features that will increase costs to consumers and stifle innovation, while offering minimal protection.
Nonetheless, California’s IoT Bill is the first to regulate the security of IoT devices, and embraces a flexible approach to governing emerging technologies. Whether the bill succeeds in its purposes, or instead provides yet another example of legislators’ superficial understanding of new technology issues, increases costs to consumers, and stifles innovation remains to be seen.