Regulation is coming to the world of Internet of Things (IoT), according to security expert Bruce Schneier, who used his keynote at Infosec 2017 to warn delegates of the dangers of inaction.

“Regulation is coming for us”, he told the audience, adding:

Governments are going to get involved, regardless. The stakes are too high – the real physical threats from the IoT will force them to act – we’re talking about fear. And nothing incentivises governments to do something stupid like fear. The choice is not between regulation and no regulation, like it used to be. It is between between smart government regulation and stupid government regulation.

And if we don’t want outside regulation imposed on us with little thought behind it, we need to start thinking about this. We are one disaster away from government doing something – we need to ensure it is something that is also smart.

Schneier continued to highlight the dangers of the technologies involved, comparing the current trajectory to building a giant, distributed “world-sized” robot, but without clear oversight, he said.

Back in 2011 Marc Andreessen wrote about ‘Why Software Is Eating The World’ but now what is eating the world is IoT. A lot of this cyber-physical technology has the potential to deepen inequities, widen the digital divide. For example, Wannacry’s ransomware attack in the UK resulted in people being turned away from hospitals – that is an availability attack, not a confidentiality attack. Ransomware attacks against cars and against medical systems are different, and suddenly matter much more than attacks against computers.

The remarks follow a statement in March from Maureen Ohlhausen, the head of the US Federal Trade Commission (FTC) that it would take a “wait and see” approach to regulation, in spite of large-scale DDoS attacks like the one generated by the Mirai botnet in late 2016 that knocked domain name system (DNS) host Dyn offline with an attack of historical volume.

The European Commission, in contrast, has announced plans to improve IoT security via the creation of a certification process for devices, comparable to the European energy-consumption labelling scheme, which was implemented in 1992 and covers white goods and similar products.

via:  nakedsecurity