Opinion

Canada needs rules for internet-connected devices

The following op-ed was written by Catalyst founding executive director, Charles Finlay, and David Shipley, CEO of Beauceron Security (an alum of the Catalyst’s Cyber Accelerator program), and was first published in the The Globe and Mail on July 31, 2023.

Our world is increasingly crowded with billions of internet-connected devices. Your car, your baby monitor, even your dishwasher – they’re all online, sending vast amounts of data across the internet.

The problem: These devices are often notoriously flawed when it comes to cybersecurity, offering hackers exploitable vulnerabilities that can expose not only the data collected by these devices, but the entire home network they’re linked with. In some cases, hackers can take control of these devices remotely. Which is maybe not a problem if we’re talking about a dishwasher but could be a major issue if we’re talking about a car or implanted medical device.

On July 18, the Biden administration announced a new voluntary cybersecurity initiative called the U.S. Cyber Trust Mark program. Consumer devices that meet cybersecurity standards will be identified with a unique mark, allowing American consumers to identify which internet-connected devices are cybersecure, at least for products manufactured by companies that choose to participate in the program.

This is an important first step in raising consumer awareness around vulnerable technologies, and providing much-needed security information to the buying public.

We believe that Canada must match the Biden administration’s move quickly, and establish a similar trust mark for Internet-connected consumer goods for sale in the Canadian market.

But we also believe that the Canadian government should go further and set mandatory requirements: All internet-connected devices that could affect the life safety of their users (BBQs or fire alarms, for example), or that are used in connection with children (baby monitors, for example), must meet key standards of transparency and security.

First, transparency: These devices should specifically state on their packaging that they do in fact operate through a connection with the internet. This seems basic, but it’s important – many consumers may only be vaguely aware of this when they first link their new product with their home WiFi, and easily forget about it afterward. It’s important that consumers be given the tools they need to make intentional and informed decisions about how many devices they want to own that are internet-connected, and in what contexts.

It is a perfectly reasonable and prudent choice, for example, not to put any internet-connected device with a camera inside your home.

Second, security: Manufacturers should clearly specify how their products are protected against cyberattacks, as well as what they expect of buyers in terms of maintaining security. For example, is it the responsibility of the owner to ensure security updates are performed regularly? Ideally, updates should be enabled automatically, by default, and manufacturers should also be clear as to how long security updates will be provided for the particular product.

This proactive communication will provide the consumer with the critical information that they need to protect themselves and make an informed purchase. It will also incentivize manufacturers to keep internet-connected devices secure for longer, lessening the burden on consumers to remember to replace products whose security features have elapsed.

With automobiles, we recommend that the government consider going even further. Many newer cars are continuously linked to the internet by cellular connections in ways that aren’t necessarily obvious to the everyday purchaser. These connections can create risks such as allowing cars to be tracked or even controlled by malicious hackers. The infamous 2015 Jeep Cherokee hack highlights the safety risk of internet-connected cars – a situation that resulted in a Chrysler recall of 1.4 million vehicles. This vehicle-hacking problem is still very much active – and to this day, there has been no legislation passed to address it.

This creates significant potential personal-security challenges. Consider someone driving alone on a highway at night who receives a false flat-tire notification and pulls over. Or the victim fleeing domestic violence in a car that can be followed on a computer.

We recommend that the government require all new automobiles in Canada to have a simple physical “off switch” that disconnects the car from the Internet – a software-enabled “off” option is not sufficient. Of course, activating this switch would likely disable certain functions, which must be clearly identified for the driver, but the point is to empower the driver to make that decision for themselves, if they deem it necessary.

Mandating security and transparency for consumer goods and automobiles are key levers that government can push to start to rebalance the deep information asymmetry that exists in the contemporary technology marketplace, where consumers often have little insight into how the products that they purchase, and use create potential vulnerabilities that could affect them and their families.

More from the Catalyst