It is now law at the federal level and in a growing number of states that products and services within the Internet of Things (IoT) must contain baked in privacy and security by design and by default. This represents a huge change for product developers, service providers, investors, owners, and buyers to learn the new requirements, how they are enforced, and understand this new business reality.

The Problem: "Vulnerability By Design"

The current state of technology products and services is said to be "vulnerable by design," with the greatest burden of responsibility for privacy and security falling on the weakest link in the economic chain - the end user, individuals and small businesses. Contracts commonly shift liability for the privacy and security of products and services, from the seller to the consumer. Often the least able to address the problems, consumers are then expected to buy patches, redundant hardware, firewalls and monitoring services that can themselves can have leaks and gaps. The result has been a bonanza for cyber criminals affecting individuals and businesses, and creating financial burdens for our economy and national security threats for our country.

The Change: "Privacy and Security By Design and By Default"

A new top-down approach began widespread implementation in just the past 2 years, and enforcement moved into high gear at the state and federal levels in 2023. 

Companies that design, sell, and deliver IoT products and services must now be responsible for the privacy and security of data flowing through them, throughout the data lifecycle. In their product activities and business practices, companies must demonstrate compliance from the initial service design to their up-to-date product maintenance, from the CEOs to the software designers. 

New guidelines have been issued by the U.S. National Cybersecurity and Infrastructure Security Agency (CISA), in cooperation with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Federal Trade Commission (FTC), together with other domestic and international cybersecurity agencies. They collaborated to form a united new security-by-design Strategy & Report published March 2, 2023. 

At the state level, Montana and Tennessee join at least a dozen others with comprehensive state privacy laws requiring the makers and sellers of products and services to "reasonably conform" to federal privacy standards by design and by default, from their internal functions to the secure handling of data throughout its lifecycle. 

This new business landscape upends the old model, now requiring the executives of IoT product and service companies to adopt measurable standards of compliance. Authorities at the federal level have united to enforce the new rules, including a special focus on those who received grants and other funding boosts and budgets to require the changes, assure compliance, and mandate disclosure of incidents with the aggressive pursuit of violators. The trend in state privacy laws is now to require compliance, not merely recommend it.

An example to illustrate the current state of cybersecurity enforcement is the recent felony criminal conviction of the CEO of Uber while under an FTC consent decree, for concealing a security incident.

The CEO of Drizly whose company was also under an FTC consent decree, was found to have failed to "implement, or properly delegate the responsibility to implement, reasonable information security practices" within the company. 

Deficiencies Checklist

The IoT Cybersecurity Improvement Act of 2020 addressed a wide variety of tech devices and services, from security cams to fitness trackers to industrial controls and sensors, and everything with connectivity in our homes and businesses. The interagency investigation leading to the federal strategy report determined that too often loT devices deployed today were designed with one or more of the following internal flaws to look for. They:

- are not sufficiently protected against cybersecurity threats,

- were deployed with inadequate default settings,

- can be difficult or impossible to patch or upgrade, 

- come equipped with advanced and sometimes unnecessary capabilities that enable malicious cyber activities on critical physical and digital systems, 

- can be easily exploited by bad actors to construct botnets and conduct surveillance.

The New Standards

The strategy report outlined the emerging standards for IoT products and services, a checklist to evidence security by design and by default, including they have:

- use of memory safe programming language, 

- secure hardware architecture, 

- secure software components (like software libraries, modules, middleware, and frameworks), 

- secure web template frameworks, 

- a secure code review process, 

- use of defense-in-depth to ensure layered security features, 

- elimination of default passwords, 

- mandatory multi-factor authentication, 

- implementation of single sign-on, secure, robust logging capabilities, 

- providing guidance to customers on appropriate authorized profile roles and use cases, 

- consideration of user experience in security design, 

- incentivize customers to implement their products in a secure manner rather than “allow[ing] them to remain vulnerable indefinitely,” 

- implement the hardened version of their product out-of-the-box, and publish “loosening guides,” such that the secure configuration would become the default, and the customer would be enabled to reduce security controls at their discretion,

-employ loT security labels, so investors and consumers alike can compare the cybersecurity protections offered by different loT products,  

- follow an adaptable safe harbor framework to securely build and maintain IoT products and services, drawn from current best practices of the National Institute of Standards and Technology (NIST) Secure Software Development,

- pursue development of new tools for secure software,

- have software transparency to demonstrate security by design and default,

- engage active and ongoing discovery and rediscovery of vulnerabilities, with disclosures, and

- partner with open-source memory, safe languages, techniques, frameworks, and testing tools. 

The report the Report encourages manufacturers of IoT to build their products and services with security at the forefront, accountable for the security outcomes of their deliverables.