The safety and security of internet of things (IoT) devices remains a vexing issue for lawmakers, while a survey from the Internet Society shows there is still some way to go before reaching widespread public acceptance of IoT connectivity.
The survey, conducted in six countries by polling firm IPSOS Mori, found that 65% of those surveyed are concerned with how connected devices collect data, while 55% do not trust those devices to protect their privacy. Meanwhile, 63% of those surveyed said they find IoT devices, which are projected to number in the tens of billions worldwide, to be "creepy."
Those concerns were at the forefront of a hearing last week on IoT security by the U.S. Senate Committee on Commerce, Science and Transportation’s Subcommittee on Security, where lawmakers and witnesses debated how to make the devices safer and more transparent for consumers, and what the role of the federal government should be in legislating that. It's a dilemma for policymakers and industry leaders who must wrestle with these questions.
"We can't put the genie back in the bottle," Internet Society president and CEO Andrew Sullivan told Smart Cities Dive. "We have invented this technology, so we're going to have to figure out how to cope with it now. We have to figure out how are we going to make this technology something that better serves the people, the consumers who are buying it."
Risks and concerns
Consumers are turning to internet-connected devices, and while they present enormous opportunities for convenience, they are not without risks.
In prepared testimony before the subcommittee, Robert Mayer, senior vice president for cybersecurity at the United States Telecom Association (USTelecom) said there is "ample evidence of IoT security vulnerabilities," with incidents like cameras being used for spying, personal information being stolen and hackers taking control of devices like smart thermostats.
"Concerns of this kind can have a massive influence on public perception of technologies, and if not addressed in meaningful ways, trust in the digital ecosystem will erode, causing unpredictable levels of disruption and economic harm," Mayer’s testimony reads.
There have already been several major hacks of IoT devices, including the Mirai DDoS botnet attack in October 2016 that rocked technology company Dyn and resulted in the dramatic slowing or bringing down of the internet across the East Coast and elsewhere in the world.
In written testimony, Mike Bergman, vice president of technology and standards at the Consumer Technology Association (CTA), warned of the international nature of the attack; 89.1% of the attack traffic originated from devices installed outside the United States, he said.
"In other words, enhancing the security of devices in the U.S. alone would not have prevented the Mirai attack or substantially mitigated its impact," Bergman’s testimony reads. Other countries are looking at other methods to test IoT vulnerabilities: Japan earlier this year hacked its own citizens to alert them to potential issues.
The march toward more connected device usage seems to be inexorable. The Internet Society's research found that 69% of those surveyed own at least one IoT device, which encompasses smart meters, fitness monitors, connected toys, home assistants, or gaming consoles. Sullivan noted the irony of most people finding IoT devices "creepy," yet owning them anyway.
"That to me is a fascinating kind of problem because what that says is that we've got a market," he said. "There's a real demand. People think that there's real hunger for it, for the services that we can get through these devices. Some of the things that I've heard people say over time has been these are just a flash in the pan."
U.S. Sen. Ed Markey, D-MA, noted at the Senate hearing that concerns over electronic devices being vulnerable to hacks are nothing new, although the threats have intensified. He recalled a demonstration in the 1990s when elected leaders’ cell phones were hacked and their calls listened in on, something that could be achieved by switching a few wires around.
"We're now in an era that is so much more dangerous than that now seemingly prosaic era that I am referring to, dangerous as it was at that time," Markey said, also noting the "Dickensian quality to the internet."
With the dichotomy of IoT devices continuing to gain in popularity while at the same time inspiring mistrust among the public, elected officials and the industry continue to battle with how best to help consumers make good choices around their privacy.
Among the ideas floated at the Senate hearing last week was a five-star rating on IoT devices indicating how secure they are, much like the voluntary Energy Star rating system managed by the Environmental Protection Agency (EPA) and U.S. Department of Energy (DOE) that provides information on how energy efficient certain products are.
"From my perspective, the least that we should be able to do is give them the safety information that they need," Markey said. “[The] least that we should be able to say is that we tried. We tried to get this information to families across this country, that their security is at risk."
Such a move received a lukewarm response from the subcommittee’s expert witnesses. Bergman noted the levels of cybersecurity on any product are not easily measured, and said that with the slew of other indicators on pieces of technology, consumers may suffer from "logo fatigue." While Matthew Eggers, vice president for cybersecurity policy at the U.S. Chamber of Commerce, said labeling is a "very good issue to tackle," Mayer said it could "create a false sense of confidence" among consumers.
"We can't put the genie back in the bottle. We have invented this technology, so we're going to have to figure out how to cope with it now."
President and CEO, Internet Society
Another alternative could be some kind of requirement for customers to change default passwords on their connected devices or do something else to the technology. Under questioning from Senators, Harley Geiger, director of public policy at software company Rapid7 said it was "not realistic" to ask people to do so, especially as they may not be too tech-savvy.
Based on the findings from the Internet Society, there so far has not been much willingness on the part of the industry to move the ball forward. Its survey found that testing by multiple consumers organizations found a range of products are rushed to market with little consideration for basic security and privacy protections. The group cited examples like Samsung smart televisions as well as smart watches for children that could be easily hacked.
"Consumers have told us they accept that they have some responsibility for the security and privacy of their IoT products but that isn’t the end of the story," Helena Leurent, director general at Consumers International, said in a statement released by the Internet Society. "They, and we, want to see tangible action from manufacturers, retailers, and governments on this issue. It has to be a collective effort, not the responsibility of one group."
There appears to be a renewed push in Congress to put together a federal privacy law to protect consumers' data, not only from IoT devices but in other areas. The State of Modern Application, Research and Trends of IoT Act (SMART IoT Act), a bill to direct the U.S. Department of Commerce to conduct a study of IoT devices and suggest appropriate guidelines and regulations, passed the House but went no further in Congress’ last session.
Markey said a federal law is needed so that technology companies are mandated to make security improvements to their products, as a voluntary system is not enough and becomes an "open-ended, take-home exam that will never be finished" otherwise.
Under questioning from U.S. Sen. Deb Fischer, R-NE, who said that privacy seems to be "moving in the right direction," Bergman said the government’s approach seems to be working and privacy is gradually tightening around IoT devices.
But others disagreed. U.S. Sen. Richard Blumenthal, D-CT, said the voluntary approach to customers’ privacy "is failing or has failed," and said that business leaders are "way too complacent" on many areas, including privacy and the potential for foreign interference. Blumenthal said he had a "very strong feeling of impatience and frustration as a Connecticut consumer, not to mention a public official. Listening to this conversation, one could conclude this is the first time we’re having this discussion."
Sullivan said that the battle, as with other areas of innovation, is that laws must not interfere or overly restrict new technology, especially as it is evolving so quickly. "We're essentially at the beginning of these capabilities; we barely know what we could do with this," he said. "It's always quite dangerous to regulate when you barely know what the capabilities of something are."
And the advent of 5G has some elected leaders on edge. As the U.S. looks to roll out the next-gen network quicker than any other country, there are significant worries that acquiring technology to help with that roll-out from Chinese companies like Huawei and ZTE could leave the network vulnerable to Chinese cyberattacks.
U.S. Sen. Rick Scott, R-FL, asked during the hearing whether such companies could be prevented from doing business in the U.S. "Why don't we just outlaw companies like that, that we know are bad actors?" he asked. But Geiger said trade agreements could complicate matters, as well as the fact that banning one country’s technology would not safeguard the U.S. from all future attacks. "We're not looking to be dragon-slayers," Eggers added.
U.S. Sen. Dan Sullivan, R-AK, the chair of the subcommittee, said that it is expected for the EU to be part of international rule-setting and to play a big role, but that it is "atypical" to have China try to assert itself, especially given the relationship between its telecoms companies and government.
"Last time I checked, there's no European country that had a telecoms entity that at the end of the day would be taking direction from their government the way Huawei would," Sullivan told reporters after the hearing. "I think that is a whole different category of concern."