Uncertain Regulatory Theory and Law Hampers Consumer IoT Cybersecurity

Banner with Program on Corporate Compliance's name and logo that announces this post is a student fellow blog post

by Samuel G. Bieler

This is the second in a two-part series exploring what drives weak cybersecurity in consumer IoT devices. The first part may be found here.

Poor regulation of the consumer IoT electronics sector compounds the negative market incentives discussed in the first part of this series. While standards for IoT devices are taking shape in some sectors of the U.S. economy, no similar regime has been developed for the broad consumer IoT electronics market. Moreover, little expert consensus has developed as to what such a regime would look like even if the political will existed to implement it. Such a regime would also have to contend with the challenges of regulating a market where many key actors are overseas. These challenges need not pose an insuperable barrier to developing a sound regulatory regime but do suggest that far more thought needs to be put into understanding what IoT regulation would actually look like.

Today, no nationwide regulatory structure governs consumer IoT devices. In other markets, the federal government has begun building out a framework for the regulation of IoT devices. In the healthcare sector for example, the Department of Health and Human Services has developed both voluntary cybersecurity guidelines for healthcare enterprises as well as guidance to comply with regulatory mandates such as the FDA’s pre- (PDF: 324 KB) and post-market (PDF: 1.2 MB) cybersecurity guidance for medical devices and the general HHS cybersecurity guidance for complying with HIPPA’s Security Rule. The DoD has also released new vendor guidance for complying with its contractor cybersecurity regulations and noncompliance may carry contractual, civil, and criminal penalties. Conversely, the closest thing to federal regulation that exists for the broad consumer market is the FTC’s general cybersecurity enforcement program, which has numerous shortfalls.

The FTC has stepped into the void that existed in general U.S. cybersecurity to become America’s de facto general cybersecurity regulator. However, their efforts to fill this role – while heroic – have always been of doubtful efficacy. From the start, it was questionable whether the FTC had the resources or expertise to meet the challenge of regulating a sector as broad and diverse as consumer cybersecurity. In FY 2018, it had only 52 full-time employees (PDF: 2.81 MB) tasked to Privacy and Identity Protection, the FTC division primarily charged with information security. Additionally, since 2000, the FTC has brought just over 60 cases (PDF: 867 KB) for unfair or deceptive cybersecurity practices. Commenters, including U.S. senator Ron Wyden (PDF: 56.9 KB), have increasingly questioned whether the FTC has the expertise to make sound decisions on the diverse array of issues involved in regulating cybersecurity.

The Eleventh Circuit’s June 2018 LabMD decision (PDF: 547 KB) has further weakened the FTC’s position as a general cybersecurity regulator. LabMD struck down an FTC final order requiring LabMD to adopt “reasonable” security measures. The court found this order (PDF: 547 KB) too unspecific to be implemented or overseen by a district court through an injunction.

It is too early to say how significant this decision is for the FTC’s cybersecurity efforts. On the one hand, the FTC has used this “reasonableness” language for most of its cybersecurity enforcement actions, including high-profile actions against Twitter (PDF: 219 KB) and Uber (PDF: 42.4 KB). If other courts adhere to the Eleventh Circuit’s reasoning, the entire posture of the FTC’s cybersecurity enforcement regime may be vulnerable.

Conversely, it is possible that the impact will be limited. The FTC’s chair stated that the Commission has “no intention of slowing down (PDF: 72.6 KB)” and three months after LabMD, the FTC entered a settlement on a cybersecurity issue (PDF: 42.1 KB) with mobile phone maker BLU Products and again used the reasonable language in the resulting order (PDF: 53.3 KB). This may suggest that the FTC can regulate much as it has, even if LabMD provides counter-parties with more leverage at the negotiating table than they had before. Even so, this increased leverage will compound the technical and personnel challenges the FTC faces in regulating cybersecurity.

In addition to lacking an empowered general regulator, consumer IoT suffers from the fact that there is little consensus of what kind of regulatory regime should be enforced. The FTC has taken a common law approach that made “reasonableness” the touchstone of cybersecurity regulation. California’s newly passed IoT law takes generally the same posture. Reasonableness is a common legal concept so applying it to consumer IoT has intrinsic appeal. Professor William McGeveran of the University of Minnesota has also argued that reasonableness provides a relatively administrable standard businesses can comply with.

However, other commenters like NYU Law School’s Randal Milch suggest that beyond the most basic security deficiencies the FTC has specifically acted on, its reasonableness approach lacks a definition businesses (PDF: 728 KB) can administer and comply with. Thus far, courts seem to have taken the latter perspective: the LabMD court felt a reasonableness standard was unadministrable (PDF: 547 KB) and even the Third Circuit in the more favorable Wyndham decision suggested that the FTC’s guidance (PDF: 535 KB), orders (PDF: 535 KB), and complaints (PDF: 535 KB) might be insufficient to provide guidance as to what is an unreasonable practice. Thus, while the reasonableness approach has gained some traction, courts continue to be skeptical of the FTC’s efforts to implement it and it is unclear whether and how businesses could apply this to improve their consumer IoT.

The alternative to a reasonableness approach is regulations mandating or prohibiting particular security practices. For example, California’s new IOT law, while largely hewing to the “reasonableness” standard, also bans devices with default passwords.  These fixed passcodes were a major factor in the Mirai botnet’s success. The major advantage of this approach is administrability. This is particularly important for small and medium size businesses, who may struggle to assess and implement the requirements of a more indeterminate system. But this approach, too, has its weaknesses, most notably the criticism that such a “regulatory checklist” will not increase cybersecurity. At the recent FTC panel U.S. Approach to Consumer Data Security, Professor David Thraw noted that a major disadvantage of checklists is that they make it easier for adversaries to identify what security features are in place and circumvent them. Another critique is that such lists destroy the “security mindset” – regulated entities focus only on complying with the list, rather than actually promoting good security. Thus, with both reasonableness and checklist regulatory approaches under scrutiny, it remains difficult to build momentum for a strong regulatory project to counterbalance negative consumer IoT market incentives.

In either case, the U.S. regulatory regime will have to address the fact that many of the most problematic actors are overseas. Cheap consumer IoT electronics with weak security frequently come from foreign manufacturers, China in particular (PDF: 1.43 MB). While some security experts like Bruce Schneier believe that even state regulation like California’s can nudge companies towards better security, questions remain about how effective liability and regulatory regimes will be in improving security in interconnected foreign products.

In sum, consumer IoT has no unified regulatory structure and the FTC, the one agency that has been attempting to provide some kind of uniform standard, now faces a less favorable jurisprudence that may weaken its enforcement posture. At the same time, even if the will existed to adopt a more robust general consumer IoT regulatory ecosystem, debate remains about what such a system would look like. Collectively, this makes it unsurprising that many commenters have found the current U.S. regulatory regime inadequate to the task of promoting good cybersecurity (PDF: 311 KB).

However, these issues need not be insuperable – incremental rulemaking on key issue security concerns can begin to build a more robust cybersecurity framework. For example, the FTC has resisted using its Magnuson-Moss rulemaking power to promulgate cybersecurity standards. While the Mag-Moss rulemaking process is extremely cumbersome, it could codify basic best practices that the FTC already recommends like multi-factor authentication and potentially be an action-forcing tool for further political activity as companies and legislators are forced to respond to the FTC. Such a process resembles the disfavored checklist approach. However, IoT is a space where incremental cybersecurity steps have the potential to ameliorate many of the most glaring domestic shortfalls in the consumer IoT electronics market. This could also offer some breathing room to consider more substantive reforms. Alternatively, Congress could take the same approach it took for personal financial information under the Gramm-Leach-Bliley Act and give the FTC the authority to make cybersecurity regulations using the more efficient APA rulemaking process.

Today, the economics of the consumer IoT market promote poor cybersecurity and the existing regulatory ecosystem is insufficient to counterbalance these incentives. As a result, dozens of consumer IoT electronics with weak security exist and these devices could seriously undermine the functioning of the internet. Addressing these shortfalls will require reweighing consumer IoT market incentives and developing a coherent regulatory posture that does not allow the perfect to be the enemy of the good.

Samuel G. Bieler is a Student Fellow in the Program on Corporate Compliance and Enforcement at New York University School of Law

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.