The Internet of Things (IoT) is here. We see it around us every day — from our wireless thermostats to our voice-activated Bluetooth speakers to road sensors that alert our cars to cold surface temperatures.
The IoT already includes billions of Internet-connected products that provide a myriad of services that simplify things, as they sense, calculate and control processes, helping us to execute basic tasks or informing us to make better decisions. Since the inception of the Internet, we have heard much about cybersecurity – mostly about breaches — but also a lot of discussion about the need for consumers, businesses and governments to protect themselves from identify theft, ransomware, and predators attempting to disrupt our lives.
In the world of IoT, cybersecurity is no longer just important. It is imperative. Without the ability to securely connect to the Internet and other authorized services and products, we can kiss the benefits of IoT goodbye.
However, legislation in more than 17 states including AB 2110 in California, could undermine all the work that has been done to protect consumer security, privacy and safety. Bills such as AB 2110 are attempting to treat connected products the exact same way we might treat a trash compactor or a gas grill.
The unique benefits of connected and IoT products also come with security challenges. In a connected world, one rogue product weaponized by a hacker can do damage to others across hundreds, thousands or millions of connections and devices. When it comes to product manufacturers, I have been a very critical voice as I have implored manufacturers to take responsibility for the security of their products. If manufacturers do not incorporate security as a critical aspect of product design, we are all in trouble.
Security must be baked in. I have always said that convenience cannot trump security because there is nothing more “inconvenient” than a breach that costs time and dollars. Compromised IoT in healthcare and industrial systems can even cost lives. Most leading manufacturers have stepped up and heard the call, implementing security and privacy in the design process.
Can you imagine if the specs to your home security system were published? That’s exactly what AB 2110 requires. The examples of what can go wrong are many. The information published will make it simple for hackers, from anywhere in the world, to do things such as open your door to a stranger, talk to your child, order products online, and many other nefarious actions that compromise your personal information and security.
IoT can make lives easier and it can also provide life-saving services like we have never seen before. The inherent complexity in accomplishing these tasks makes the need to ensure that those who repair them are trained to protect the safety, security and privacy of product owners.
I am concerned that AB 2110 is a government mandate that goes too far. While it may be well-intended, it hurts the same consumers it’s intended to help, by placing consumers at risk, requiring manufacturers to publicly share the digital keys to their products – essentially a gift-wrapped box for bad actors.
The connected world is one like we have never seen before. No longer do industries or products operate in individual silos. We are truly living in an inter-dependent world and technology policies and legislation need to be looked through a new lens.
I fear that AB 2110 is seeking a 20th century solution for a 21st century issue and I do believe that the trade-off of security for perceived convenience far outweighs the benefits for consumers, businesses or the economy in any way.
Paul Paget is a cybersecurity consultant for the Security Innovation Center and the former CEO of a leading IoT security company.