ILMA Compoundings – December 2019 - 30

WASHINGTON LANDSCAPE

Regulating the Internet
(of Things)
T
By Matthew Levetown

he past few years have seen a
flurry of new digital security
laws debated, passed and
enacted. Perhaps most familiar is
the European Union's (EU) General
Data Protection Regulation (GDPR),
due in part to the scope of rights and
enforcement - a single set of rules
applying to not only data collected
and processed within the EU, but even
transfer of the data out of the region.
In its wake, California passed its
Consumer Privacy Act (CPA), which
becomes effective on Jan. 1, 2020.
A few other states, including Massachusetts, New York and Maryland,
have considered or have passed digital
privacy laws.
At the same time, the interconnectivity of devices and cloud processing
gave birth to the internet of things
(IoT). While the basic idea has been
kicking around for decades,1 the
2008 birth year for IoT was reached
when the number of devices connected to the internet surpassed the
number of human users. Coupled
with human-machine interfaces, like
Google Home or Alexa, anyone can
have their own smart home straight
out of science fiction. The IoT is not
limited to personal comfort: sensors
and predictive analysis have been cited
as possible boons to the oil and gas
industry. From automated production
levels based on downstream needs
to real-time monitoring of pipeline
networks, let alone semi-autonomous
refining systems, the IoT will improve
productivity across industries.

30

DECEMBER 2019

| COMPOUNDINGS | ILMA.ORG

However, the question remains: Who
owns the data, and how secure is it?

CYBERSECURITY CHALLENGES
Every new device connected to a
network introduces more risk. Even a
network not actively connected to the
internet at large has increased avenues
of exploitation. Malware has been
crafted to attack IoT devices, such
as the Mirai botnet, which continuously scanned for and infected smart
devices using a table of factory default
passwords to launch distributed denial
of service (DDOS) attacks to shut
down websites. As the first variant
of Stuxnet showed by transmission
through USB drives and portable
engineering systems, even locally
networked devices can be the target
of attacks, albeit specific rather than
opportunistic attacks.
By 2025, an estimated 60 billion
IoT devices will exist, 7.5 times greater
than the world's predicted population.
The lack of focus on the cybersecurity
of IoT devices compared to human
interfaces, such as computers, opens
the door to collection of data by
both malicious hackers and data
miners. IBM's X-Force cybersecurity
intelligence group reported a 5,400%
increase in IoT vulnerabilities in
2018 compared to 2013. Predictably,
a number of private companies are
working to create firewall solutions,
rather than single-device solutions.
Private cybersecurity firms reacting
to device vulnerabilities are often a
triage solution for those affected
by attacks, as patches arise after

exploitation. In what is a surprise to
no one, only recently have federal
lawmakers recognized the need to
establish "cyber benchmarks" for IoT
devices, with several bills being introduced in 2019. While none have been
voted on yet, the basic idea is
to gather cyber experts from public
and private industries to create certifying standards.
In the Cyber Shield Act, for example, IoT device manufacturers meeting
the advisory committee benchmarks
would receive a "Cyber Shield"
label. A major concern expressed by
lawmakers has been the challenge of
balancing the current low-cost devices
that increase productivity with the
protection of infrastructure. The
proliferation of IoT devices is partially explained by the price point of
pre-made devices and the ease of interfacing newer electronics with internet
controllers for individualized uses.
While time will tell whether U.S.
lawmakers will define a national
digital privacy policy to pair with
cybersecurity, the two privacy laws
currently affecting the largest swath
of consumers are the CPA and the
GDPR. The CPA is more limited in
scope than the GDPR in some ways,
as "personal information" is defined as
that applying to natural persons rather
than business consumers. However,
coupled with an additional IoT security law becoming effective on Jan. 1,
2020, businesses that collect data from
over 50,000 consumers or devices
need to be able to comply with both
http://www.ILMA.ORG
ILMA Compoundings – December 2019

Table of Contents for the Digital Edition of ILMA Compoundings – December 2019
