The phenomenon of the Internet of Things is in full expansion, both for the multiplication of digital devices on the market and for their objective functionality and usefulness at the service of innovative and disruptive technologies, which will mark the near future!
The IoT is «an interconnected environment in which all kinds of objects have a digital presence and the ability to communicate with other objects and people», as defined by the Federal Trade Commission, which is aligned, up and down, by the definition of the OPC, Canadian Privacy Commissioner, who speaks of it as «the network of physical objects that connect through the Internet».
The new “network” of interconnected objects is constantly growing, so much so that it is expected to grow, in the United States alone, up to 1.6 trillion dollars by 2025! The economic interests, therefore, alongside the technological ones, command much attention. But there are also many questions, such as those raised by the OPC, concerning the responsibility of the data, between the owner, the producer, the software or algorithm development or the third party that transmits the data. The actors involved, in the different phases of production and communication of the device, require a series of regulatory protocols, able to properly regulate future disputes.
The fields on which regulatory efforts are focused are:
- privacy, for unauthorized access to data by cybercriminals or for improper use of the data by those who collect the data;
- product liability, in the event of a failure that causes damage or injury, since U.S. law distinguishes between hardware as a product and software as a service;
- deceptive business practices or unfair competition in the performance of marketing on this type of device.
The regulatory authorities will be responsible for properly regulating any licensing agreements, certifications, privacy policies, terms of use, and defined contractual clauses, for damages procedures.
There is as yet no global regulatory framework on the IoT phenomenon, so much so that in July last year, a meeting of Interior, National Security and Public Security Ministers from the UK, US, Australia, New Zealand, and Canada held in London to discuss «common security challenges in relation to the IoT and how it can best protect our citizens from cyber threats».
In January of this year, in California, it entered into force the Senate Bill no. 327, referred to as, IoT Security Law, which, with a fairly “ondivagate” formula, requires connected devices to have “reasonable security“, meaning that the security of the device must be directly proportional to its application (a monitor will require less security than a surveillance device, for example), must protect it, with passwords changed on first access and not by default, from malicious attacks. In 2019, it was also promoted a federal bill, the Internet of Things Cybersecurity Improvement Act, which imposed compliance with standards and guidelines to the National Institute of Standards and Technology (NIST).
NIST has drawn up a series of recommendations and questions necessary to standardize the IoT discipline, the main ones being:
- customer identification
- target audience
- use of the device
- geographical and physical place of use of the device
- device connections
- device risks
- data collected, used and transmitted
- configurations with updated and appropriate firmware and software
- the life cycle of the device.
SB327 recommends and provides an asymmetric or public key infrastructure, which provides client authentication, with certificates, called “PKI” (public key infrastructure), allowing trusted third parties to verify the identity of a user, as well as to associate a public key with it through digital certificates. For NIST, not all digital certificates are valid, in fact, it recognizes only a few, which are only as strong as the private “root“, or “self-signature” key, which if exposed, becomes almost useless, because it gives free access to hackers on all devices, and what’s more, “invisible”, and therefore untraceable!
But since the lines drawn by the above-mentioned bill are still hazy, as for HIPAA, it has called upon an external body, HITRUST, to draw up unique criteria and certification forms for everyone, here too it will probably be appropriate to do the same, for a uniform, and very essential, IoT security!
