With the ever-increasing number of cyber attacks in recent years and victims ranging from individuals and startups to Fortune 500 businesses - the law enforcement agencies and governments all over the world continue to raise concerns.
For many businesses, cybersecurity has become a board-level issue. Cyber threats continue to rank among global risks, according to the World Economic Forum's Global Risks Report 2021.
The proliferation of smart, networked, and intrinsically unsecured devices is changing the security landscape. The shifting legal cybersecurity landscape in the context of the Internet of Things is examined in this article.
Image Source: Kevin Wallace Training, LLC
In 1999, British technology pioneer Kevin Ashton coined the term "Internet of Things" to describe a system in which tangible things can be connected to the Internet via sensors.
Now, the Internet of Things (IoT) is rapidly growing in practically every sector that it can fit into, and it is present in the daily lives of most individuals and companies. Consumers benefit from the IoT's interconnected objects in a variety of ways, including utility, improved quality of life, and increased productivity.
As a result, authorities and marketers want it for the goal of harvesting a large amount of user data, such as their lifestyle, preferences, and other personal information. Because IoT has such a broad impact and connection with users' lives and software systems, it's vulnerable to malicious attackers aiming to wreak havoc.
Moreover, due to mass-production on a low budget, many IoT products have extremely limited security procedures in place to defend the systems. There's also the fact that these gadgets rarely provide updates or patches to address vulnerabilities, leaving the general public exposed when a new attack vector emerges.
Image Source: Reversing Labs
In 2016, thousands of computers were effectively taken over by the Mirai Botnet attack.
Due to the poorly secured configuration of IoT devices, hackers launched a Distributed Denial of Service (DDoS) attack against a DNS provider, causing internet outages for consumers in North America and Europe.
This attack drew a lot of attention to the need for new security approaches to be incorporated within these devices, and some research has been done in areas like blockchain-based architecture to protect against future attacks.
The software industry must adapt and take precautions in the future, such as protecting architecture components and implementing existing manageable security controls that can mitigate some of the potential harm of these devices until more permanent security can be achieved.
For these devices to be fully secure, their development process may need to be restructured to overcome their incapacity to receive patches; or a higher focus on security measures that can match their durability while remaining cost-effective should be placed in general.
Cybersecurity is now frequently mentioned by policymakers and is frequently at the top of political agendas. Governments from all around the world have attempted to safeguard cyberspace and its systems (at least on paper). They've come up with and implemented a slew of cybersecurity initiatives.
The Budapest Convention
The Budapest Convention was ratified in 2001 and became effective in 2004. The Budapest Convention is open to people from all over the world. To date, 48 countries have signed the Convention, including numerous non-EU members such as Australia, Canada, Japan, and the United States. Six states have also signed on as signatories, with another 12 being encouraged to join.
Prosecutions against the confidentiality, integrity, and availability of computer data and systems (Art. 2–6) and (ii) computer-related breaches (Art. 7–8) are included in the Budapest Convention's four categories of substantive offenses.
Articles 2–6, which cover hacking and computer trespass (within the general idea of "unauthorized intrusion"), are meant to preserve the confidentiality, integrity, and availability of computer systems, according to the explanatory report.
As a result, the Budapest Convention clearly reflects the importance of (preserving) the CIA trinity. The Budapest Convention defines "computer systems" as
"any device or a collection of interconnected or related devices, one or more of which, in response to a programme, performs automatic data processing" (Art. 1).
Despite its widespread acceptance, the convention is still not global. Significantly, it ignores a major portion of emerging countries, implying that it does not cover a significant portion of Internet users.
The NIS Directive
The EU has taken a number of steps to combat cybercrime and strengthen cybersecurity. The EU approved and designed the following regulations and strategies in this context: The NIS Directive, the General Data Protection Regulation (GDPR), and the EU Digital Single Market Strategy (DSM) (which combines initiatives on security and data protection in particular).
Furthermore, in light of the importance of private sector participation in the cybersecurity arms race (due to the fact that the majority of network and information systems are privately operated), the EU launched a public–private cybersecurity partnership in 2016, as announced in the DSM in 2015.
The NIS Directive is the first EU-wide cybersecurity legislation. Its primary goals are to achieve minimum regional (EU) harmonization and to improve the online environment's trustworthiness, all of which contribute to the DSM's establishment.
The CIA triad is explicitly mentioned in the NIS Directive's definition of NIS security, which states:
"the ability of networks and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or the related services offered by or accessible via that network and information systems" (Article 3 of the Draft NIS Directive).
The IoT Cybersecurity Improvement Act of 2020
More recently, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, sponsored by Senators Cory Gardner and Mark Warner in 2017, was enacted by the House of Representatives in October of 2020. The law was enacted to establish basic security requirements for all IoT devices purchased by government entities. The law had 26 co-sponsors, including Democrats and Republicans, and it received bipartisan support in a political environment that hasn't seen much in recent years.
On December 4, then-President Donald Trump signed the Internet of Things Cybersecurity Improvement Act of 2020 into law, making it the first federal regulation of the Internet of Things (IoT).
In cybersecurity, change is the only constant: Due to the dizzying pace of technical change, the intelligence of attackers, the worth of possible targets, and the subsequent repercussions of attacks, among other things, the cyber landscape is always changing and evolving.
Given the impending growth in the use of susceptible Internet-connected products, strengthening IoT security is a significant, urgent, and worldwide problem, as with all things cyber.
The boost in the Internet of Things (IoT) will necessitate precise legal frameworks. The challenge will be to create frameworks that are flexible and unorthodox enough to keep up with the quickly changing threat environment that is inherent to the technology.
While there has been considerable progress in this area, particularly inside the EU (at least documented), it remains to be seen how the recently established legal instruments will be implemented in practice.
However, enhancing cybersecurity in general, and in the context of the Internet of Things in particular, should not be restricted to legal or regulatory initiatives.
Instead, regulation in this environment should include several components (as it already does), such as bottom-up governance and dynamic, multi-stakeholder regulation, possibly through a polycentric approach.