It simply makes no sense to call for IoT devices to be certified safe-and-secure. Before you get bent out of shape, hear me out.
Regulations are unwieldy blunt instruments, best left as a last resort. Cybersecurity regulations are not nimble, tend to be outdated the day they are instituted, and become a lowest-common-threshold for an industry to follow. This stifles security innovation and the application of best practices. On the upside, regulations do force industries that have ignored basic security practices to meet a common standard. But history has shown those industries rarely go any farther than the regulatory requirements. All the data breaches we see in the news every week, almost all of those organization are compliant with regulations, yet they are losing data records by the billions. Compliance does not equal security!
Yet some are pounding the government drums, advocating for IoT certification regulations. I find their beliefs to be shortsighted and premature.
Regulations are definitely needed in some situations, but only for narrow applications to accomplish specific goals. Protecting privacy of children online, securing sensitive healthcare records, or requiring controls around credit card transactions are all codified to some extent in regulations.
I am a passionate security advocate, some would even go so far as to say a fanatic, but I don’t like this idea of requiring IoT devices to be certified safe and secure. It is simply too broad and undermines the economic model which is driving rapid innovation.
We don’t require such certification for phones, tablets, personal computers, or servers. So why would anyone think requiring certification for low powered IoT devices is a good strategy?
Certification adds significant costs and time to product development. IoT devices are emerging for a vast variety of uses and tend to be less expensive than fully-featured computing systems. The scale of validation is another problem as the number of IoT devices will soon exceed over 50 billion. The process to determine who will certify entirely new classes of devices and what criteria will be accepted is a political nightmare. Operationalizing such requirements will be expensive and a nightmare at such a massive scale. The bureaucracy and costs will add tremendous friction to the market, pushing out many companies and products.
There is no doubt IoT needs significantly more security, but recommending overly broad regulations is very premature and likely damaging to everyone that benefits from smart devices. There are many other options and solutions that could deliver much better protection at a lower cost and not catastrophically impede innovation, competitiveness, and healthy market cycles. Establishing standards, best practices, for design and validation is a great start. Driving the consumers, to recognize and value secure designs, creates a competitive advantage for manufacturers to challenge each other. Open bug bounties, public security research, and sharing of penetration testing certifications would drive better processes for the IoT industry.
If such practices fail to be adopted or are not sufficient, then we should discuss regulation. But first, we must pursue more optimized avenues to establish safety and security in partnership with the IoT industry, so the ecosystem can become more adaptable to evolving threats, support innovation, and be trustworthy for the benefit of all users. Let us not rush to a model of inflexible regulations, as they should only be considered as the last option.