This week, the Biden-Harris Administration announced the US Cyber Trust Mark, a new label to help consumers easily understand which smart devices are less vulnerable to cyberattacks. In the US, Statista estimates there will be 5.4 billion Internet of Things (IoT) devices online by 2025. And with a 41% increase in cyberattacks against Internet of Things (IoT) devices this year alone, it’s imperative that we shore up these vulnerable devices.
Why are IoT devices especially vulnerable to cyberattacks?
- Lack built-in security: They are designed and developed without adhering to secure-by-design principles
- “Black Box” with limited resources: users are not aware of security features and/or cannot install security solutions on the device by themselves
- Maintenance Cost: vendors often fail to release security updates
- Operational challenges: In many cases, it is difficult or impossible to install updates
- No visibility: traditional monitoring and security systems do not have visibility into the security problems inside the devices
These vulnerabilities result in devices that are the “weakest link” in the network. For cyber criminals, IoT devices offer
- An entry point into organizations
- A resource or proxy for other cyberattacks. For example, infected IoT devices can be used in Distributed Denial of Service (DDoS) attacks
- Access to the device itself. Compromised physical devices (like cameras) can threaten privacy and safety
What role should vendors and manufacturers play?
In recent meetings with vendors and manufacturers, it’s clear that there are misconceptions about the importance of secure-by-design in smart devices. Many manufacturers consider cybersecurity to be a “nice to have” feature or they see it as an issue for consumers to address. Unfortunately, it seems that many will not add cybersecurity protections unless it’s required by regulation or if consumers demonstrate a strong demand.
The United States’ new national cybersecurity strategy strives to rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses and local government, and onto the organizations that are more capable and best-positioned to reduce risks.
Voluntary regulation and research have been circulating since 2016. However, manufacturers failed to adopt cybersecurity best practices because they weren’t mandatory. In Europe, the Cyber Resilience Act (CRA), Radio Equipment Directive (RED) and other regulations are starting to change the market, and manufacturers are preparing for mandatory IoT cybersecurity regulation.
As cybersecurity experts, we cannot ignore the cyber threats of IoT devices to individuals and organizations. Mandatory regulation is changing now the landscape, it will align the market and will help to ensure the cyber resilience of not only the United States but the entire world. The labeling program is a good first step to enable users – across enterprises, schools, and health care – to use IoT devices safely and to decide if they want to invest in purchasing secure devices.