The General Data Protection Regulation (GDPR) breaks new ground when it comes to privacy law. After years of hidden breaches, stolen identities and negligent data handling,organizationswill finally be forced to get serious about data privacy.
Data loss incidents that are due to non-compliance will face fines that run as high as four percent of global turnover, or 20 million euros, whichever is higher. This will prove a threat to some, but for others, it will finally put the weight behind personal data protection that has been lacking for so long.
But there is still no specific regulation for the relentlessly growing, and fatally insecure IoT. In 2017, the European Union Agency for Network and Information Security (ENISA) found that there were no “legal guidelines for IoT device and service trust.” Nor any “level zero defined for the security and privacy of connected and smart devices.”
Today’s smart workforce are bringing in personal devices into their workplace with the endeavor to get their job done faster. Manufacturers are building connected intelligence in their products to make them stickier and more purposeful. This massive small business and consumer adoption of connected devices have unfortunately left most manufacturers in the front seat offering features and interoperability, but with security exposures buried in the trunk.
IoT is a market that doesn’t show any signs of slowing down. The IDC predicts that there will be 200 billion connected devices by 2020 and if standards stay the same that could mean billions of security vulnerabilities. The Marai virus demonstrated how IoT devices with default settings can be vulnerable to infection and this malware has been used in DDOS attacks. And there are more malicious variants underway such as those that now aim to target ARC processors embedded into a broad array of Linux-based devices.
As such, it might then be a good idea to imbue IoT security with the kind of weight that the GDPR gives personal data. But why hasn’t that happened yet?
While GDPR does not have much that directly confronts the problems of the IoT. It regulates the use of personal data, as it pertains to the IoT but, the GDPR still doesn’t call the problem by its name. For example, GDPR holds you accountable for your security vulnerabilities, third parties and personal data handling assets to make sure that they are also GDPR compliant. This includes IoT devices, but those specific concerns will be diluted among a mix of other security considerations.
Regulation is often slow. The last piece of EU data protection regulation came in 1995. Since then we’ve seen the massive exponential growth of cross border data flows, the inexorable rise of cybercrime and the appearance of multiple computing devices and high speed internet connections in European homes. The GDPR, for example, was first proposed in January 2012 and it took over four years before it was adopted by the European parliament.
The point here is that regulation can be slow to deal with change. First, lawmakers have to get wind of a problem, begin to understand it and then meticulously draft lengthy documents embattled by bureaucratic hurdles, legal considerations and competing interests.
The GDPR holds supranational legitimacy over 28 separate countries and applies not only to bodies which are based in those countries but have customers within them. Considering the EU is still the world’s largest market, this makes the GDPR not just European regulation but a global one. Unless national regulators can make foreign manufacturers do what they say, regulation on IoT security will be hard to achieve. This could be especially difficult as international supply chains will prove a problem, as many IoT devices are manufactured in countries prized for their low regulatory barriers – allowing retailers to bring in the cheap smart devices that consumers and small business crave.
There are some signs toward IoT security regulation. In April 2017, the Californian state government introduced legislation for IoT security and the French government are eyeing proposals to make IoT manufacturers liable for the security of their products. There is a great desire to install regulations of this kind among a number of sectors, public and private.
Until then, it behooves the industry to establish a commercial IoT security testing standard and share best practices for IoT risk mitigation. For example, ISCA Labs, an ISO-accredited, independent, third-party tester has published an IoT testing framework. For example, enterprises have leveraged network access control (NAC) technology to fortify IoTdefences, enforce policies for unsanctioned IoT device use, and mitigate risk of malware proliferation, network exposure, and sensitive data leakage. Means to educate the consumer and enterprise market on IoT security threats and safeguards is equally important.
About the author: Scott Gordon is the chief marketing officer at Pulse Secure, responsible for global marketing strategy, communications, operations, channel and sales enablement. He possesses over 20 years’ experience contributing to security management, network, endpoint and data security, and risk assessment technologies at innovative startups and large organizations across SaaS, hardware and enterprise software platforms.