France mulls manufacturer liability & open-sourcing, IoT industry on edge
The French government has floated a proposal to make manufacturers of internet-connected devices liable for the security of their devices while they are on the market.
The French government has floated a proposal to make manufacturers of internet-connected devices liable for the security of their devices while they are on the market and to ensure that software running such devices be open-sourced once they reach the end of life stage.
The proposal, if discussed at higher levels of government and implemented in the near future, may have far-reaching implications on the IoT industry. While imposing liability on manufacturers for the security of their devices could force them to invest more in design-by-default processes, open-sourcing software at end-of-life stage could ensure that people will be able to use their existing devices securely without having to purchase newer products.
If a similar idea were floated by the UK government to regulate the IoT industry and to fix blame in the event of hackers exploiting severe vulnerabilities in IoT products to compromise user identities, would manufacturers take it lying down?
“Absolutely not, manufacturers will not agree to such a proposal unless it is forced upon them by law. The only scenario where manufacturers would agree to such a proposal is if it reduces cost and increases value, however this proposal does neither, as it increases both liability and accountability," says Joseph Carson, chief security scientist at Thycotic.
Aside from these two factors, Karl Lankford, senior solutions engineer at Bomgar, says that manufacturers will be hesitant to agree to this proposal "as it could present more risk than reward". This is because most of them will be hard-pressed to immediately upgrade equipment once new security vulnerabilities are detected. However, if they are forced to consider privacy by design through legislation, it will ensure a secure software-development-lifecycle that will keep devices secure throughout their respective life cycles.
"GDPR is a stepping stone to this, by forcing organisations to consider privacy by design, and security should follow suit to ensure a secure software-development-lifecycle. Ultimately IoT manufactures should make best efforts to supply a solution that is secure-by-default rather than leaving open gaps to be exploited by threat actors," he adds.
However, Ian Castle, chief technical officer at ECSC Group plc, believes that bringing in a legislation to impose liability on IoT device manufacturers could have a chilling effect on software development.
Castle says that by floating such a proposal, the French government wants to imply that since the impact of a security vulnerability could be higher than that of a hardware issue, liability can no longer be limited and should cover a product's entire lifecycle.
"This would extend creating software into similar areas as ‘corporate manslaughter', which extends liabilities over provision of certain services, eg if a cross-channel ferry sinks with loss of life, survivors' families may be entitled to more than a simple refund of a ticket. It doesn't sit well with existing legislative frameworks and would need a lot of thinking about," he says.
As far as open-sourcing software at end-of-life is concerned, Castle says that any law governing this aspect will have to ensure that if the manufacturer ceases trading, access to the source is possible. However, this is also a legal minefield as "a software solution is made up of many different contributions from different providers, who are licensing it for a specific use, which would not include open sourcing".
"Even when a company is willingly open sourcing an application, it can take a long time to establish if they actually have the rights to open source it," he says. He adds that if software is open-sourced at end-of-life, then it will ensure that end-users will receive free upgrades forever or access to the system source code, thereby making it difficult for manufacturers to market newer products and, in turn, impacting their revenues. This could have a very disruptive effect on the industry.
According to Lankford, "Manufacturing and operational technology can often be in theatre for an extended lifecycle for 10 years or more; proving open access to source code and other security vulnerabilities could lead to new widespread threats from malicious actors". However, according to Carson (quoted above), "a timely fix to newly found vulnerabilities once EOL'd then the code is open-sourced to allow communities to keep it updated".
Carlson adds that the IoT industry is plagued with modern devices still running legacy operating systems and featuring very poor or no security controls.
"Many of the systems and devices still being introduced are running legacy operating systems, in some cases, Windows 7 and even Windows XP. Firmware having hard coded passwords, Web Interfaces running over HTTP, security controls with very basic with simple PIN numbers, have no authentication integration or encryption. All of these might have been fine in a complete air-gapped system which the perimeter could be controlled and tightened however, with today's cloud, mobile and connectivity this is almost an impossible task and these systems are being exposed to the public internet.
"The lack of security by design means that the risks and threats against IoT devices and systems are high and all companies considering deploying IoT should really consider the increased risks against the benefits. It is important that IoT devices and systems have security by design and are transparent that they have been tested for basic security practices. The EU has recently discussed introducing a security check on IoT devices such as webcams etc," he says.