To insure the security and privacy of Internet of Things deployments, vendors, service providers and corporate IT practitioners must assume responsibility for the integrity of their IoT networks and the data they handle. Credit: Getty Images Last year saw the continued growth of enterprises adopting internet of things solutions, with companies harnessing the power of wireless data collection, analytics and connectivity to enhance productivity and efficiency in ways we could previously not imagine. Analysts expect corporate spending on IoT in the U.S. to approach $200B in 2019, with global spending exceeding $800B. As adoption has grown, privacy and security advocates have called for regulating IoT to enhance personal privacy and to strengthen the security of IoT devices and services. Several high-profile data breaches in the past few years were the result of hacks that used unsophisticated, vulnerable IoT devices such as nanny cams to get into secured computer networks. Researchers have even hacked into home computer networks using Wi-Fi connected “smart” IoT lightbulbs as the gateway. IoT regulation hasn’t happened Despite the hype and some hearings before Congress and the Federal Trade Commission, no legislation or regulations have been adopted at the federal level to regulate IoT devices or services. Three bills were introduced in Congress in 2017 – the Cyber Shield Act (which would have made IoT security voluntary); the Internet of Medical Things Resilience Partnership Act (also voluntary, but focused on IoT medical devices); and the Internet of Things Cybersecurity Improvement Act (which would have set product standards for devices sold to the government) – but none of them became law. Indeed, lawmakers on both sides of the aisle have advocated taking a hands-off approach to IoT, attributing the rapid growth of the Internet in the ‘90’s to a lack of governmental interference. In our view, that’s a good thing – at least for the moment – because IoT holds so much promise for new innovation and economic opportunity, and because premature regulation could hobble its development. Issues such as security vulnerabilities in unsophisticated sensor/radio devices will undoubtedly be addressed by market forces: purchasers will demand greater security and suppliers will respond accordingly. Who’s responsible when IoT fails? As practitioners who advise clients purchasing IoT devices and service, we believe there is one important issue underlying the IoT that producers and commercial customers must resolve: Who is responsible to end users who may be harmed when an IoT device or transmission service fails or is compromised by a bad actor? The current industry approach is for providers of IoT equipment and wireless data service to shift that responsibility to their corporate customers, who buy IoT devices and service, repackage them for a variety of consumer and business applications (e.g., health care, security, energy transmission, transportation), and sell them to other businesses or individual consumers. Although those middleman, value-add solution providers have the direct relationship with the ultimate consumers of IoT devices and services, they are neither the radio manufacturers nor the providers of wireless data service, so they depend upon their suppliers for reliable products and services. In our view, the underlying radio manufacturers and service providers need to assume more responsibility to end users for performance failures. As the market matures, suppliers and users will eventually resolve this issue, though it will almost certainly come at an increased cost for IoT devices and wireless service. Takeaway Companies that purchase IoT devices either for internal operations or for resale to customers should proactively explore what additional security measures they should implement given the vulnerability of IoT devices that are interconnected with their networks. And companies that use IoT devices to collect personal information, such as health-related information or location information, need to be cognizant of their obligations under Europe’s GDPR and other privacy laws when they handle that personal information. Kevin DiLallo and Laura McDonald are partners at Levine, Blaszak, Block & Boothby (LB3), a D.C. law firm, and Joe Schmidt is a Project Director at TechCaliber Consulting (TC2). The firms help maximize businesses’ return on investment in information communication technology. Related content how-to The logic of && and || on Linux These AND and OR equivalents can be used in scripts to determine next actions. By Sandra Henry-Stocker May 02, 2024 4 mins Linux analysis Cisco-backed startup Corelight raises $150M to expand network security services Corelight aims to boost AI-driven security operations, cloud visibility and detection, and next-generation SIEM platforms. By Michael Cooney May 02, 2024 4 mins Network Security Networking news F5 looks to squelch 'ball of fire' that is application security Updates include security scanning and penetration testing capabilities for web applications, as well as a new container-based web application firewall. By Michael Cooney May 01, 2024 4 mins Firewalls Network Security Networking news Arista targets lateral security threat in campus and data center networks Arista Macro-Segmentation Service sets up microperimeters for enterprise resource protection. By Michael Cooney May 01, 2024 3 mins Remote Access Security Network Security Networking PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe