Regulating the Security of the Internet of Things (IoT) in a 5G World

In one of those strange inversions of reason, The Internet of Things (IoT) arguably began before the Internet itself. In 1980, a thirsty graduate in Carnegie Mellon University’s computer science department, David Nichols, eventually grew tired of hiking to the local Coca Cola vending machine only to find it empty or stocked entirely with warm cola. So, Nichols connected the machine to a network and wrote a program that updated his colleagues and him on cola stock levels. The first IoT device was born.

Things have moved on somewhat. Today, the world is home to 8 billion connected devices or “things”, with that number projected to leap to 20 billion devices by 2020. As Bruce Schneier says, “We’re building a robot the size of the world, and most people don’t even realize it.” This exponential growth has been driven by an increasing appetite for connection, convenience and consumption. These are good for business and, for the most part, private individuals. But there is a dark side.

Security of the Internet of Things is historically poor and fraught with challenges. According to researchers, in the ten largest US cities alone there are over 178 million IoT devices that lack basic security features and are visible to attackers. That is alarming enough, but what will be the impact as we move into a new era of hyper-connectivity under 5G?

As the 2016 Mirai botnet attack made all too clear, the IoT is dangerously vulnerable to disruption. Mirai impacted millions of people in the U.S, as well as affecting service for internet users in Germany and the UK, yet public discourse on IoT security remains patchy and inconsistent.

Why isn’t there more discussion about IoT hacks outside of the cybersecurity community? Are people naïve or do they simply not care? In reality it’s a bit of both.

The IoT is notoriously difficult to regulate, with service providers being scattered across borders and jurisdictional lines. Your network operator may be local, but your device may have been made in another country, its components in yet another. In such a scenario, the end user is seldom educated on how to – or why to – keep their devices secure.

The second part of the answer is embedded in human nature: We tend not to pay much attention to things until they impact our daily life. Mirai, for example, didn’t hack devices in order to get at their owners. Instead, these hacked devices were used to congregate enough computing power to launch a distributed denial-of-service attack on Dyn which supports the internet access of millions of Americans.

Aside from losing access to Netflix and Twitter, however, most people don’t feel directly impacted by such security breaches, so they aren’t too worried about their vulnerable devices. As long as their devices continue to function and their sensitive information isn’t compromised, the average end user is unlikely to get worked up about headlines like ‘Major IoT Cyber Attack’.

That’s all about to change under 5G. The first commercial 5G networks are expected to launch by the end of this year, with significant uptake expected by 2025. The promises of 5G are also its greatest threats. In a 5G environment, for example, autonomous cars and remote surgery become truly viable for the first time. With latency of one millisecond or less, connection over 5G will essentially represent real-time engagement.

Imagine the possibilities: A network of driverless automobiles traveling at the high speeds (200km/h plus) that are possible when every car knows where every other car is, and is able to respond to changes within a millisecond (by comparison, the average human response time is 200 milliseconds). The risk of collision approaches zero.

Now imagine that the IoT services are corrupted and the network connecting those hundreds of high speed vehicles suddenly collapses. Or cyber attackers target individuals with vulnerable pacemakers, as could have happened here.

When one looks beyond smart homes and sexy wearables one sees the Internet of Things as the Internet of Everything, not just the harmless stuff. 

We are living in a time where cybersecurity increasingly means human security.

What about the regulations that ensure IoT devices are safe?

“Aren’t there regulations to protect us?” This is a reasonable response when faced with the prospect of potentially devastating and fatal cyber attacks. Unfortunately, the answer to that question is not simple.

There are regulations and standards, but they are disparate and inconsistent. We need only look as recently as the passing of the California Consumer Privacy Act for an example of how state and federal laws can conflict on key issues like privacy. At the moment, all we have is a potpourri of guidelines and frameworks. I’m tracking more than 60 of them. Ideally, these separate guidelines would be amalgamated to form a user-friendly set of global standards that companies could use to build and maintain safe devices.

But we don’t live in an ideal world.

Firstly, IoT security is new enough and complicated enough that developing these guidelines takes time and expertise. Even then the results are not necessarily easy to implement. With so many devices going to market without sufficient security baked in, those responsible for developing or deploying IoT devices within their organisations need to apply IoT guidelines such as those published by NIST and DHS. But this is easier said than done.

As a result of difficulties interpreting and implementing these guidelines, regulations may be the only way to force security into IoT devices. But drawing up such regulations is a daunting task for lawmakers who are themselves still coming to terms with the complexity and nuances of the IoT landscape.

Secondly, there’s the human issue: We are thirsty for innovation. As Mike Gillespie put it, “At the moment, IoT is driven by the desire to innovate on the part of developers and functional need on behalf of the buyers.”

With the demand for IoT devices on a seemingly ceaseless growth curve, it is impossible to maintain full regulatory oversight, especially as suppliers rush to market with unsecure products in-hand.

To regulate or self-regulate: Where do we stand on IoT security regulations?

There are quite a few Internet of Things security guidelines available from different organizations. While there isn’t yet a framework that has attained the status of global standard, experts, bloggers, and IoT enthusiasts frequently cite some more than others. Here are a few that I’d highlight:

IoT Security Document	Organization	Publication Year
Baseline Security Recommendations for IoT	European Union Agency for Network and Information Security (ENISA)	2017
Security and Privacy Controls for Information Systems and Organizations	National Institute of Standards and Technology (NIST)	2017
Internet of Things Security Guideline	IoT Alliance Australia (IoTAA)	2017
Strategic Principles for Securing the Internet of Things	U.S. Department of Homeland Security	2016
IoT Security Guidelines and Assessment	GSMA	2016
IoT Security Compliance Framework	Internet of Things Security Foundation	2016
Industrial Internet Security Framework	The Industrial Internet Consortium	2016

Table: Internet of Things Security Guidelines and Frameworks

Normally, when an industry reveals a weakness in self-moderation – especially where it concerns national and international security threats – governments and regulatory bodies step in. Why is that not the case with the Internet of Things?

To begin with, regulation needs to be carefully balanced with freedom for innovation. Opponents of government regulation point to the software industry which they say managed to work security into its products through trial and error. They believe device manufacturers will figure it out in time because their long-term success depends on it.

IoT security regulations would also need to be enforced. This would require that governments agree on the specificity and extent of the standards. Will companies have to follow a handful of basic guidelines, or will they be legally obligated to take a comprehensive, security-by-design approach?

Supporters of self-regulation argue that market forces will push companies to adhere to a global IoT standard – accreditation leads to increased consumer trust which leads to higher sales.

But others are unconvinced by this view of corporate motivation. As Bruce Schneier explains,  the market can’t solve IoT security on its own because markets are driven by short-term profit making.

If there’s one thing everyone agrees on, though, it’s the need for some sort of global standard to encourage greater alignment and better IoT security. Perhaps the dawn of 5G will be seen as an opportunity for industry leaders to combine forces in creating the framework the Internet of Things so desperately needs.  With a new generation of 5G-enabled devices set for production, and the creation of entirely new networks on the horizon, now is the time to build a system that is inherently as safe as it is exciting.