Cybersecurity expert Bruce Schneier calls on U.S. to regulate IoT landscape

While the United Kingdom is urging Internet of Things (IoT) vendors to design products with security in mind, the United States currently doesn’t have a rulebook for such endeavors. But that doesn’t mean no talking heads are raising the question of cybersecurity in the IoT realm state-side.

Smart gadgets – from home appliances to enterprise IoT, to city-wide solutions – are projected to control our everyday lives in the next decade. Smart devices already pose a significant threat to the world, with examples ranging from the Mirai botnet taking down Dyn (and half of the Internet with it) in 2016, to more recent and more localized threats, like baby-cam spies peeping at mothers breastfeeding.

However, considering the tens of billions of connected devices expected to flood the market in the not-too-distant future, the IoT sector is becoming increasingly endangered by cyber threats.

At the Aspen Cyber Summit, security heavyweight Bruce Schneier warned that, unless the government gets involved, cybercrooks are going to have a field day with the IoT industry. Consumers aside, companies opening up their infrastructures to the Internet through unregulated IoT solutions will face dire consequences, he said, according to The Register.

“Looking at every other industry, we don’t get security unless it is done by the government,” Schneier said. “I challenge you to find an industry in the last 100 years that has improved security without being told [to do so] by the government.”

“I don’t think it is going to be the market,” Schneier added. “I don’t think people are going to say I’m going to choose my refrigerator based on the number of unwanted features that are in the device.”

Schneier was likely referring to convenience, implying that people always seek ease of use over security – an aspect that studies have corroborated time and time again. Other panelists, like Johnson & Johnson CISO Marene Allison, agreed.

Schneier’s arguments may fall on deaf ears for now, but it won’t be long before governments worldwide, not just in the U.S., have to acknowledge their crucial role in regulating our increasingly technological existence. And it seems the United States has already taken a step in the right direction.

California has started leading the way in two important cybersecurity aspects this year. For one, it aims to become one of the first U.S. states to implement a law akin to the EU General Data Protection Regulation, which already affects entities across the globe. The California Consumer Privacy Act aims directly at protecting Californians’ personally identifiable information. Secondly – and this effort is directly tied to IoT security – California this year officially outlawed poor default passwords in connected devices. The law seeks to help curb attacks that take advantage of smart devices rushed to market with lax security baked in (i.e. default admin passwords). However, not everyone agrees the law will single-handedly fix IoT security.