The Internet of Things (IoT) keeps growing, and as it grows, so too do its security issues. Yet the US Federal Trade Commission, which deals with products like these, doesn’t seem to be that worried about it.
The Guardian reports that at a cybersecurity conference on Monday, acting FTC chair Maureen Ohlhausen said the agency would wait for risks to “materialise” before taking action.
Ohlhausen — who served as a Republican commissioner on the FTC from 2012 until January, when Trump designated her acting chairwoman — had this to say about the dangers posed by IoT devices:
“We’re saying not ‘Let’s speculate about harm five years out,’ but ‘Is there something happening that harms consumers right now or is likely to cause harm to consumers,'” Ohlhausen told the audience at the conference. If there is potential harm to consumers in a new technology, the FTC should not act until that harm manifests, she said: “We don’t know if that risk will materialise. It may well materialise, but a solution may materialise at the same time.”
This is… a bad position to take! For starters, it seems pretty simple and obvious that, in this case, preventative care is better than a cure. Why would you wait until a hack takes down infrastructure at a hospital or, God forbid, my precious cup of java, to impose regulations? One of the great parts about regulation is that it — get this — tries to prevent massive screw-ups from happening in the first place.
More to the point, however, security issues with IoT devices are already demonstrably harmful. Last October, large chunks of the internet, including sites like Twitter and Spotify, went dark after IoT devices like cameras and DVRs were compromised in a massive botnet attack on Dyn DNS servers. Hackers used a type of malware called Mirai, which automatically seeks out IoT devices to form a botnet, a network of devices that can be used to direct attacks without the owner’s knowledge. That botnet then floods servers, in this case Dyn’s, with traffic, making the websites hosted at those servers impossible to access.
And Mirai isn’t the only way IoT devices can be compromised. Just today, researchers discovered a new kind of IoT malware entirely separate from Mirai. In 2015, a team of hackers discovered a flaw in Samsung smart refrigerators that could be used to steal Gmail login credentials. Imagine getting your emails hacked because of your dang fridge.
Part of the problem here is that, as Ohlhausen herself noted, the FTC is “not primarily a regulator”, but more of an enforcement agency. As we’ve seen with the issue of internet privacy, those who want less regulation tend to push FTC oversight over issues precisely because they know it’s so weak. But if the FTC doesn’t regulate IoT devices, who else will? A US federal court ruled in 2015 that the FTC has authority to act on cybersecurity, if it considers a company’s practice “unfair” to consumers. (It can also issue guidelines in enforcement cases, as it did with native advertising in 2015.)
It seems logical that if you start connecting everything in your home to the internet, that greatly increases the number of potential security flaws. There are already billions of IoT devices, and that number is only increasing. With companies rushing to add connectivity features to their products to compete, it’s inevitable that at least some of them won’t have high security standards. But it seems you’ll have to wait for something pretty bad to happen before the FTC does anything about that.