The EC has proposed the Cyber Resilience Act to ensure all connected devices sold in the European Union (EU) adhere to a new set of cybersecurity standards. The security community welcomes the development, asserting security can never be an after-thought, especially when it comes to products used by regular folks. “Security has to be built into devices during the design phase before they are unleashed on an unsuspecting world,” Sam Curry, Chief Security Officer at Cybereason, told Lifewire over email. “To require that companies selling software in markets have processes and take security seriously is not a stretch for the 21st century.”

Internet Pollution

Explaining the need for smart device security, Tim Helming, security evangelist with DomainTools, said in an email to Lifewire that people fail to see them as a stepping stone for bigger attacks.  For instance, the risk with smart devices like baby cameras isn’t just restricted to hackers tapping into the baby camera to spy on the home. While these things do happen, Helming says hackers also take advantage of the weak security in these devices to break into other devices on the home network, which could contain sensitive data like banking details.  Dray Agha, Senior ThreatOps Analyst Team Lead (UK) at Huntress, looks at the issue from another perspective. “Adding cyber security to a product is an expense,” Agha told Lifewire over email.  This resonates with Pete Chestna, North America CISO at Checkmarx, who said in an email with Lifewire that most people buy on price, not security, arguing that the legislation will level the playing field for vendors that have already strengthened their security practices and provide a needed level of protection for unwitting people.  Matthew Mullins, senior security researcher at Cybrary, doesn’t mince words when he says, “IoT and smart devices have been comically insecure for quite some time,” in an email exchange with Lifewire. He explained the existing security measures in these devices are often the lowest requirement level and not enough to thwart determined attackers.  Describing the extent of the problem, Curry said many smart devices often have no patch or upgrade process, ship with default passwords, and sometimes their manufacturers may go out of business in a year or two while the devices might survive for years or decades.  “[These devices with poor security] could become the digital equivalent of Internet pollution if they are manufactured, shipped, and abandoned with weak security,” said Curry.

Rising Tide

Omer Yaron, head of research at Enso Security,  believes many vendors will operate in a security-first way only when the demand comes from a place of compliance. “This is why these regulations are a good thing—they give the provided push for all the others,” Yaron told Lifewire in an email. While the regulation is proposed by the EC, Marcus Scharra, co-founder and CEO at senhasegura, believes we are living in a world with open digital borders. “If it’s a law that ensures good data protection practices and consumer autonomy in the safe use of technology, it becomes a mirror with a positive effect for countries around the world,” Scharra told Lifewire in an email. Agha also believes the legislation will have a cascading impact since it’s unlikely that vendors worldwide will create tiered products, where only the EU devices are the more secure versions. Commenting on whether the legislation will be able to bring about a positive change in smart device security, Scharra says the right to privacy is the trigger for civil society to understand and support this law. “Gradually, the notion of cyber resilience will have room in public discussions and minds,” said Scharra. “Enhancing the security of devices that make your life better, that come into your home, that share intimate space with you, is the practical and natural step on this path.”