The regulation of the Internet of Things has, so far, happened on a relatively ad hoc basis: The Federal Trade Commission (FTC) has gone after products egregiously lacking in security. The Food and Drug Administration (FDA) has issued voluntary guidelines for securing medical devices. A few other agencies like Homeland Security and the National Institutes of Standards and Technology have also released guidelines.
However, the security risks are bound to grow, as is the IoT market itself : Global IoT spending is expected to reach nearly $1.29 trillion over the next three years, IDC predicts. That's why now is the time for the federal government to set some hard and fast rules, argues Mandeep Khera, CMO at the application protection firm Arxan. His experience in both IoT and security has Khera convinced Washington can and should write new laws governing IoT, beginning with some critical verticals.
As the new administration takes charge, Khera shared his thoughts on what's next.
The following conversation was edited for brevity:
Why are you interested in seeing new regulations?
I've been following IoT for a while now. I spent a couple years in the IoT industry before I turned to the security side with Arxan. IoT's fairly new, it hasn't even quite gone mainstream yet. But one thing we've been concerned about is that just like any new technology, people focus first on functionality, so security is kind of on the backburner. People have been deploying apps like crazy in the last couple of years within IoT... and hackers are now starting to attack.
When I started talking to people -- various customers like chief security officers and even product teams -- they say, really there's no regulation that forces us to look into this. And it's sad but true -- people pay a lot more attention [to security] when there's regulation forcing them to do it.
How should Washington tackle this challenge?
IoT is such a huge revolution that's coming and has so many different parts, you have to look at it by vertical. There are some IoT verticals much more prone to attacks and more serious consequences that need regulations more than others -- connected medical devices like insulin pumps, blood pressure monitors, that are connected and need to be secure. If a hacker gets into it, it could result in the loss of a patient's life.
The FDA is already on it. They issued guidelines a few weeks ago and specifically said you have to secure the code. This is still a guideline -- it's not mandatory, but the medical device companies we're talking to are making a big effort to really start securing these devices.
The other is connected cars... From a cyberterrorism point of view, that we're expecting a quarter billion connected cars by 2020...If hackers can attack them, you could see some cyberterrorism like cars crashing into each other, running through red lights -- who knows. The implications are huge, so we're starting to see some movement on the regulation side there.
Those two are critical in terms of where we think the regulations should be coming. If you look at the rest of it -- oil and gas, manufacturing processes... home automation, wearables, -- the consequences are not as serious.
Will it be hard to regulate IoT, given how quickly technology advances?
I don't think it'll be hard because there are precedents. If you remember the financial industry regulations a few years ago, the GLBA [Gramm-Leach-Bliley Act of 1999] -- that has become the norm. All financial institutions have to make sure there's proper security in place for network, web applications and so on, so hackers can't get to it and steal financial information.
So it's not like we have to reinvent the wheel. Let's look at the same principles we used before and make sure anyone manufacturing IoT devices and software, that all of those things are secure before they can sell. It doesn't have to be a deal. It could be kept pretty simple.
The reason for the regulations not just about creating bureaucracy. I've asked executives point blank -- is regulation good or bad for you? And they said good because it gives us the budget. Otherwise they have a hard time going into their manager and saying we need X dollars to secure these things... These guys feel like they need to secure it, and they need money for it.
We have a completely GOP-led government now, between Congress and the White House -- what do you expect to see from them?
It depends. Clearly Trump is anti-regulation... But I think in this case, if he sees this as a cyber-terrorism issue, I think it'll get passed pretty quickly. But if he sees it as an annoyance and lobbyists tell him [it will be too costly], then he'll push it out. My feeling is he'll see it as the former.
Especially with all the hacking that took place during the election, I think it's top of mind for a lot of people.
Is there anything else Washington can do about IoT security?
Regulations are fine, but why don't we create tax breaks for companies doing a good job on security, so it gives them a positive incentive. It's a carrot and stick approach. We've had the stick for a while... but why don't we create tax breaks for companies doing a good job? It would be interesting to see if we could start a groundswell movement and push that cause.