Woman's eye with retinal scanner

Security and the Internet of Things: Is Tougher Legislation Needed?

August 17, 2021 | Purdue Global Law School

On February 5, 2021, an employee of an Oldsmar, Florida, water treatment plant saw that someone was controlling his remote work computer. He also noticed that the level of sodium hydroxide (lye) in the water supply had been increased to potentially dangerous levels. The worker quickly acted to return levels to normal even before automated safety systems could respond.

Cyberattacks on critical infrastructure have become a greater threat in recent years as more devices are connected to the internet. The Internet of Things (IoT) has revolutionized entire industries by giving businesses and consumers remote access to systems. However, the IoT can allow hackers to gain control of those systems, infiltrate networks, and steal sensitive information.

The IoT is a catchall term for billions of sensors, controllers, and other network-connected devices. It continues to expand exponentially—according to research by Juniper Networks, there will be more than 46 billion internet-connected devices by the end of 2021. That represents a 200% increase over 2016.

Industrial and municipal applications are the fastest-growing segment of the IoT. However, the IoT also includes medical devices and everyday consumer products such as baby monitors, security systems, and connected appliances. IoT devices have notoriously lax cybersecurity, and the government has limited tools at its disposal to force manufacturers to address this risk.

The Growing IoT Security Problem

Most people are familiar with operating system and software updates on their mobile devices and desktop computers. However, many IoT devices were designed to perform a single function, and don’t have a traditional operating system or the ability to install software. They also may lack enough processing power or memory to support security features.

These kinds of devices have been around for years as part of the operational technology (OT) systems used in industrial sectors. Traditionally, OT devices were not connected to the internet or to information technology (IT) systems. They benefited from the “security by obscurity” of a separate network that could only be accessed by gaining physical control of one of the devices.

That all changed with internet connectivity. When devices are connected to the public network, anyone can potentially see and access them unless they are protected by effective security controls. The risk has increased exponentially with the growth of the IoT. There are billions of potential access points for attackers, and more devices than businesses and government agencies can monitor and manage.

The organizations that utilize IoT devices are partly to blame—many, such as the Oldsmar, Florida, water treatment plant, have not taken basic steps to prevent an IoT security breach. Default passwords are not changed, usernames and passwords are shared, and common defensive technologies such as firewalls aren’t used to prevent intruders from accessing the network.

FTC Oversight of IoT

But should businesses be expected to bear total responsibility for securing devices that are inherently vulnerable? What about consumers? Consumers often have limited understanding of the threats posed by connected devices and what they can do to protect themselves. Do device manufacturers have an obligation to disclose security weaknesses?

Section 5 of the Federal Trade Commission (FTC) Act makes it unlawful to engage in unfair or deceptive acts that affect commerce, with potential civil penalties. The FTC’s Policy Statement on Deception defines deceptive practices as those that are likely to mislead reasonable consumers due to misrepresentation, omission of information, or other actions. An unfair practice “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The FTC has used its statutory authority to initiate enforcement actions against companies that tell consumers they will protect their information but fail to do so. For example, if a company publishes a privacy policy, but does not live up to the promises made in that policy, the company may be found to have violated Section 5 of the FTC Act.

President Biden gave this authority more teeth with his Executive Order on Improving the Nation’s Cybersecurity, issued on May 12, 2021. The order tasks the National Institute of Standards and Technology (NIST) with developing criteria for product labeling to educate consumers about the cybersecurity capabilities of commercially available IoT devices. The labeling scheme will provide the FTC with another tool for targeting device manufacturers that make deceptive claims regarding cybersecurity. Although the labels won’t be required, they could also spur competitive forces that encourage manufacturers to take steps to improve device security.

The Internet of Things Cybersecurity Improvement Act

The Executive Order comes on the heels of the Internet of Things Cybersecurity Improvement Act, which was signed into law on December 4, 2020. The law directs the NIST to “develop and publish standards and guidelines for the federal government on the appropriate use and management by agencies of IoT devices … including minimum information security requirements for managing cybersecurity risks associated with such devices.”

The act applies only to federal agencies and does not establish minimum security standards for IoT devices. However, experts expect it will ultimately influence the IoT marketplace by setting a precedent for tougher regulations.

In the meantime, billions of devices are collecting, transmitting, analyzing data, and even executing commands without human intervention. Given the weak security of these devices, hackers can steal sensitive data, take control of the device, or gain access to other systems. In a doomsday scenario, they could sabotage critical infrastructure such as the electric grid. Is tougher legislation needed?

Learn More About Cyber Law

Purdue Global Law School offers an online Executive Juris Doctor program for those who are interested in a legal education but do not intend to become practicing attorneys. This program features a law and technology track that provides advanced legal training on matters related to cyber law. Single courses in technology and the law are also available.

We also offer an online Juris Doctor, which trains you to become a California-licensed attorney.

For more information about attending law school online with Purdue Global Law School, reach out today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.