Monday, January 29, 2024
International governments have their sights set on connected devices this year. Some of the world’s biggest political bodies—including the European Union, the United States and the North Atlantic Treaty Organization (NATO)—are signaling sweeping changes to how they treat products considered to be part of the internet of things.
This is because the vulnerability of hardware and software products increasingly gives rise to more successful cyberattacks, resulting in an estimated global annual cybercrime cost of $8 trillion in 2023.
Let’s consider how incoming rules tackle dodgy devices and what vendors must do to stay up to code.
Concerted efforts across borders
In a far cry from years gone by, device vendors will face minimum cybersecurity thresholds to bring their products to market. As I noted recently on EE Times, incoming regulations on both sides of the Atlantic, such as the U.S. Cyber Trust Mark and Europe’s Cyber Resilience Act, demonstrate a concerted push for stronger cybersecurity thresholds.
First, the Biden Administration’s program intends to help consumers choose internet-connected products that are less vulnerable. Announced in July, the program will certify and label products based on specific cybersecurity criteria published by the National Institute of Standards and Technology (NIST). This includes, for example, requiring unique and strong default passwords, data protection, software updates and incident-detection capabilities.
Amazon, Best Buy, Google, LG Electronics, Logitech, Samsung and other major tech industry players have committed their endorsement to the U.S. Cyber Trust Mark. This distinctive shield logo is set to be featured on authorized products starting sometime this year.
Meanwhile, Europe’s approach is even stricter. The Cyber Resilience Act proposes minimum cybersecurity standards across all connected devices. The act requires device manufacturers to design digital products with limited attack surfaces, deliver them without known vulnerabilities and safeguard the product’s data confidentiality and integrity.
In July, European member states agreed on a common stance regarding the proposed legislation. Discussions are ongoing in the Parliament on the final version. Once in place, likely in the next two years, manufacturers, importers or distributors could risk a fine of €10 million or 2% of their total annual turnover worldwide, whichever is higher, for non-compliance.
Spurring innovation, tightening regulation
But it’s not just tighter regulations that governments are employing in the fight against connected device hackers. They’re also offering grants to kickstart innovation. This was the aim of the third and final body, NATO, when launching a defense innovation accelerator last year. One of its inaugural challenges invited companies to create a secure and cohesive framework for overseeing and controlling IoT devices in military applications.
More than 1,000 applicants have since answered the pilot challenge call. The winning companies will receive direct assistance to help develop their ideas and, ultimately, increase the security of NATO and its allies.
Despite different approaches—Europe regulating top-down, America incentivizing bottom-up and NATO encouraging innovation—these bodies are tackling the same pervasive problem. Hackers have never before been so successful and threatening. Furthermore, connected devices are in the midst of great growth. One industry forecast, for example, predicts that the total number of connected “things” worldwide is set to more than double between 2022 and 2030, to 30 billion. These bodies see now as the time to get tough on device security, imploring vendors to follow suit or pay the price.
Vendors should act now
While neither the U.S. nor EU regulations will come into immediate effect, vendors would be wise to begin upgrading their devices today. This is because sweeping changes like this take time and troubleshooting to achieve. As evidenced by Europe’s General Data Regulation Protection, which saw companies spend a ton on readiness initiatives, there are considerable financial and technological hurdles to overcome in reaching compliance.
My advice for companies operating in these markets is to begin getting up to code. This means moving toward advanced credentials (like two-factor authentication), communication encryption and vulnerability elimination.
As devices increasingly enter the modern home and office and become ever-more important in economic and social contexts, expect regulation to continue to move in this direction. For this reason, vendors should seize this opportunity to tighten up their endpoints and get ahead of the competition. Not acting today could be the cost of doing business tomorrow.
By: DocMemory Copyright © 2023 CST, Inc. All Rights Reserved
|