The present and future of IoT legislation

With the internet of things have come many benefits. Top-notch efficiency in information-sharing allows new technologies to thrive like never before. However, in our increasingly computerized society, this level of interconnectedness brings risks with it as well. As a result, many jurisdictions have passed or are considering passing laws relating to the IoT in an attempt to get ahead of the security and privacy concerns that are inherent in the technology.

IoT laws in the present

Several jurisdictions around the world currently have IoT regulations on the books. In September of 2018, California became the first state in the U.S. to regulate IoT security, when then-Governer Jerry Brown approved Senate Bill 327. This bill states that manufacturers of "connected devices" must equip the products with "reasonable" and "adequate security" features that keep the data they collate safe. While lauded as a step in the right direction by a public that is becoming increasingly concerned with how their data is handled, the bill received criticism and concern from industry professionals. Many felt the law was too vague; terms like "connected devices" and "reasonable security features" were said to be too poorly defined to be considered particularly enforceable. For example, according to Adrian Sanabria of Thinkst Applied Research, "There are many examples of IoT devices that don't connect to the Internet (and would, therefore, be exempt from this law) that could be attacked if anyone is in physical proximity to them."

In the rest of the U.S., IoT security regulations are sparse or nonexistent, mostly taking the form of older statutes that have retroactively been applied to these new technologies thanks to new case law. The federal government has additionally been considering passing their own IoT legislation. On March 11, 2019, Democratic Sen. Mark Warner of Virginia introduced S.734 to the U.S. Senate. Simultaneously, fellow Democrat Rep. Robin Kelly of Illinois, introduced a similar bill, H.R. 1668, in the House of Representatives. Each bill seeks to implement IoT security regulations at the federal level. H.R. 1668 has not been considered by committees since June of 2019 and is possibly dead in the water. S.734, on the other hand, has been added to the Senate legislative calendar for 2020.

The internet of things has been likened to a "wild west" - a new frontier filled with possibility that nevertheless poses great risks due to its unregulated nature.

Future possibilities for IoT regulation

S.734's processes are on track for 2020, as ordered under General Orders in Calendar No. 215. The bill requires that the National Institute of Standards and Technology (NIST) and Office of Management and Budget (OMB) take steps to determine current security standards for IoT devices and draft new processes to increase cybersecurity. By March 31, 2020, NIST must
"develop recommendations for the appropriate use and management of IoT devices owned or controlled by the government, including minimum information security requirements for managing cybersecurity risks." However, it is important to note that this bill does not enshrine and security regulations into law, only order an investigation and recommendations on part of the two organizations. True IoT legislation on a federal level has not yet been introduced.

However, in the U.K., there is indeed possible IoT regulation on the horizon. On Jan. 27, 2020, the U.K. government announced it's set responses to regulatory proposals that Parliament discussed the previous year, according to SiliconRepublic. This U.K. law seems to hold onto or expand upon most of the proposed measures and regulations from 2019. Like the California law, the U.K.'s proposed law requires that passwords can't be reset to a factory default, and that telecommunications and technology companies possess a phone number or other point of contact for consumers to report security vulnerabilities. It also requires that companies should disclose how long a product will receive security updates, which some commentators believe is a tough requirement to enforce. Whether the law passes or not, the discussion around IoT both in the U.S., U.K. and elsewhere is sure to intensify when the final vote is made.

Regulation for the IoT is inevitable, whether it happens within a year or eight years. For firms to meet the security standards laid out in government regulations (and to keep their data safe), a robust network architecture will be required. Perle offers secure networking equipment such as Ethernet switches and serial to Ethernet converters. Check out some of the ways Perle has enabled clients to reach their technological potential.