IoT Cybersecurity-Related Statutes, Regulations, and Policies
Technology is evolving rapidly, implying that the number of devices under the Internet of Things (IoT) might increase considerably over the coming years. Through IoT, people will be able to utilize virtual assistants to improve their lives. Although the expected growth will benefit the people, economy, and infrastructure, the progress might present multiple cybersecurity-related threats, which explains the need for significant changes, from hard to soft law, in IoT cybersecurity-related statutes, regulations, and policies to curb cyber threats.
Unlike before, soft laws for technological governance of IoT, which are flexible and adaptable, exist. Hence, this is a significant change from traditional regulatory processes regarded as “rigid, bureaucratic, inflexible, and slow to adapt to new realities” (Hagemann, Skees & Thierer, 2010, p. 63). Initially, the process of formulating statutes to govern new technology was slow due to bureaucracies involved in hard law, which explains the absence of nonexistent statutes on IoT in the United States. For instance, multiple government agencies were mandated to oversee IoT regulations, making the process slower because several parties were involved. However, amidst the series of destabilizing and damaging cyber-attacks, an effort has been directed towards developing soft law of technological governance (Pino, 2013). With the soft laws in place, the National Cybersecurity Safety Board (NCSB), in collaboration with the U.S. Congress, is expected to introduce and enforce statutes that govern IoT.
So far, a few statutes governing IoT have been tabled and enacted in the last one year, including SB-327 information privacy and the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. Based on the information provided by California’s Senate, the former law requires IoT device manufacturers to provide “reasonable security measures” (Newman, 2019). The law is expected to facilitate the protection of consumers’ information against cyber-attacks by ensuring that manufacturers equip devices with internal security features before distributing them in the market. In contrast, the Cyber Security Improvement Act of 2019 requires agencies to report potential risks involved in using IoT devices to the government. The current statutes, regulations, and policies generally focus on strengthening cybersecurity to protect the citizens, economy, and national security against cyber-attacks.
While the above laws and policies may help secure the United States’ cyberspace in the short run, changes may be required to ensure that they better fit the cybersecurity environment in the future. Scholars observe that cybersecurity comprises technical issues constantly evolving due to technological innovation (Grant, 2019). For instance, the current state of technology will evolve, which presents potential cyber threats to the information contained in IoT devices. Therefore, the “reasonable security features” emphasized by the current statutes may not be applicable in the foreseeable future. Besides, securing cyberspace requires coordinated efforts from the entire society (“The National Strategy,” 2003). However, the majority of the current statutes appear to focus on the efforts of the private sector and the federal government. Hence, some of the laws that govern IoT may require significant changes to ensure that they sufficiently curb cybersecurity threats in the future.
Overall, the expected growth of devices connected to IoT and interrelated cyber threats are critical reasons for the change in IoT statutes from hard to soft law. The current regulations are flexible and adaptable, making strengthening the United States’ cyberspace easier. However, considering that technical innovation is in constant evolution, changes may be required in the current statutes to ensure that such laws are relevant in the current and future cybersecurity environment.
“The national strategy to secure cyberspace” (2003). The White House. Retrieved from https://georgewbush-whitehouse.archives.gov/pcipb/
Grant, J. (2019). Will there be cybersecurity legislation? Journal of National Security Law & Policy, 4(103), 103-117.
Hagemann, R., Skees, J., & Thierer, A. (2010). Soft law for hard problems: The governance of emerging technologies in an uncertain future. Colorado Technology Law Journal, 17(1), 37-131.
Newman, D. (2019, February 19). IoT in 2019: What can we expect? Forbes. Retrieved from https://www.forbes.com/sites/danielnewman/2019/02/19/iot-in-2019-what-can-we-expect/#33cd9326c39a
Pino, R. (2013). Network science and cybersecurity. New York, NY: Springer Science & Business Media.