The News: As of January 1, 2020 both California and Oregon’s IoT cybersecurity laws (SB 327 and HB 2395 respectively) covering “smart” devices went into effect. These laws state that any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features. As IoT cybersecurity regulations begin on the local (state) level, federal regulation is looming. Depending on the IoT vendor’s point of view, regulatory change will either help or hinder innovation. Either way, such changes are already taking place and participants in IoT ecosystems should be prepared as it adds a layer of compliance into their operations. Firedome published a good overview on these new laws here if you’d like a deeper dive.
IoT Cybersecurity Regulations Kick in With the Start of 2020
Analyst Take: IoT cybersecurity regulations are kicking in as we move into 2020. That’s significant for device, automotive and sensor manufacturers, network, software and platform providers—all players in the Internet of Things (IoT) ecosystem who anticipate industry growth into the tens of billions as we launch into the 2020s. With IoT comes the promise of connected homes and cars, as well as smart cities, smart health, and more. However, as the number of things connected to the internet grows exponentially, so do the risks of cyber-attacks. Due to these risks, regulators are now stepping in.
What IoT Cybersecurity Regulation Means for the IoT Community
The main reasons for security breaches in IoT are due to vulnerabilities in hardware and software, like default admin passwords or less secure peer-to-peer (P2P) internet connections. A prime example is the disruptive Mirai botnet strain, which used hundreds of thousands of IoT devices (like DVRs and IP cameras) to launch widespread malware in October of 2016. Since then, there have been examples of very public and global IoT security breaches that occurred through devices such as smart watches, toys, and dated medical equipment in hospitals.
As a result, whether IoT vendors agree or not, IoT security legislation has either been passed or is currently in deliberation. How it impacts the IoT community and the technology that surrounds it is that it now means vigilance will be required in tracking new regulation to make sure that you and the partners in your ecosystem are compliant.
What’s Happening with IoT Cybersecurity Regulations on the Global Level?
In addition to laws in California and Oregon, on the federal level in the U.S., the Internet of Things Cybersecurity Improvement Act is a bipartisan effort that is still in deliberation and differs from local legislation in that it requires recommendations from the National Institute of Standards and Technology. Meanwhile globally, the UK and Japan are tackling IoT cybersecurity through regulations of their own, with Japan being more proactive with full-launch investigations to find IoT security breaches.
Critics of current and proposed IoT security regulations claim it is too vague, creates more cost, and stymies innovation. Proponents say it is a starting point, will foster standards amongst the tech industry, and is better than having IoT ecosystems open to an attack at any time over any network or device. At this point, it’s inevitable—IoT cybersecurity regulations are gaining momentum and as it evolves, IoT players will have to stay vigilant in tracking new laws.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.
Other insights from the Futurum team:
IoT Cybersecurity Improvement Act Calls for Deployment Standards
Massive GDPR Fines Mean Investors, Board Members Rethink Cybersecurity
The Race for Data and the Cybersecurity Challenges This Creates
Image Credit: CSO
Author Information
Sarah most recently served as the head of industry research for Oracle. Her experience working as a research director and analyst extends across multiple focus areas including AI, big data and analytics, cloud infrastructure and operations, OSS/BSS, customer experience, IoT, SDN/NFV, mobile enterprise, cable/MSO issues, and managed services. Sarah has also conducted primary research of the retail, banking, financial services, healthcare, higher ed, manufacturing, and insurance industries and her research has been cited by media such as Forbes, U.S. News & World Report, VentureBeat, ReCode, and various trade publications, such as eMarketer and The Financial Brand.