New Regulations for the Internet of Things?

Government-mandated standards and practices are on the verge of sweeping changes not perhaps seen since Europe’s GDPR.  Reflecting this shift are incidents like last year’s bevy of state sponsored Chinese hackers targeting various industries and critical infrastructure, including such agencies as the US Treasury. 

In this case, a stolen API key from a third-party vendor was used to access data from Treasury workstations.  Unclassified documents were the main haul, a fact that has encouraged conclusions that this wasn’t a matter of national security.  Regardless, activity from such state-sponsored groups as “Salt Typhoon,” for one, exponentially ramped up last year.  That group was responsible for the breach of the three main US phone carriers and other agencies, and continues to target critical infrastructure around the world.  Theft of API keys can assist cyber criminals in privilege escalation, gaining access to further parts of the system and exposure of more critical data.

The regulatory impact of these events is manifold.  For one, the Communications Assistance for Law Enforcement Act requires telecoms to defend against cybercrime, as confirmed by the Federal Trade Commission (FCC).  The agency has also scheduled a meeting this month for the purpose of updating data security regulations for the industry.

Further regulations are intended for the long, half-baked approach to Internet of Things security.  As they eventually come into force, device makers will be required to approach data security for their products with far more stringency than has been tacitly condoned so far.  As with GDPR, it seems Europe is leading the way on this front too, adopting last October the Cyber Resilience Act for smart devices, while the UK similarly enacts the Product Security and Telecommunications Infrastructure Act.  Both rules – covering devices from smart doorbells to toys – to varying degrees will give compliant products a “CE” label to alert consumers of their safety level.  Development cycles that result in device vulnerabilities will no longer be tolerated, requiring strong security at all levels and occasions.

While the new EU rules are to ensure starting in 2027, the process to become compliant will be toilsome.  For GDPR, organizations spent an average of €1 million ($1.06 million) to prepare: a resource investment with the payoff of stronger security and continued access to markets.  Encryption, security updates, testing, patching, and authentication will all need to be implemented or enhanced.  For secure encryption of stored data on devices and applications, NetLib Security’s Encryptionizer provides efficient protection that won’t disrupt operations and render critical data useless to cyber criminals.

There’s no better time than now to start prepping for incoming regulations.