I completed a lecture on this subject this morning, and this issue was raised by the audience?
Whose responsibility is it for ensuring that the secure embedded electronics, virtual systems capabilities are secure within IoT, IIoT, OT environments?
If you go by CCPA 01 December 2020 and SB-327 it is the manufacturer?
And by the way who will police the CCPA SB-327 once it comes into force?
Yet, if you read the various voluntary codes of practice for UK, Australia and New Zealand - they are pointed at the consumer. Shouldn't the consumer rebel, if they were sufficiently conscious of the implications?
So where should it reside at the manufacturer? The purchaser or the people at the end i.e. the consumer?
However, if we continue to accept manufacturers, who a) do not register their products under the IEEE registration or continue to use shadow companies or b) use whitelisted companies - this is obviously not sufficient. Examples of course involve Chinese manufacturers, but there may be others, I currently not aware of.
I see this as a tricky question to answer. Like @rslade says, it is ultimately the end user who is responsible for securing it. If senior management hires someone, like an IT manager, and they do a poor job at securing these items, then it still is the senior manager's fault.
In America we are having similar questions about things other than infosec in this same realm. Some people think that they should be able to sue gun manufacturers because someone used their product in a manner than it was otherwise intended. Should the gun manufacturer have installed some more security measures so that the gun could not be misused? And you could swap out other industries instead of guns and you have the same argument. Can we sue alcohol manufacturers because someone got drunk and then drove their car and killed someone. Is the auto maker at fault for not designing an ignition lockout to test for drunk drivers? Can we sue phone makers or cell phone service providers because someone was distracted and crashed their car and hurt or killed someone. Baseball bats, ropes, crowbars, rat poison, etc. have all been used for purposes other than what they were intended. We can point out that these items can use some more security or laws around their use, and we have created lots of laws or put in to place other countermeasures to try and restrict the "weaknesses" around these items not being as secure.
If a manufacturer is turning out massively insecure devices then people tend to stop buying them if the pain of the security weakness becomes more than the pleasure of service the item provides. We have a saying here "Vote with your wallet." Which basically means if enough people are unhappy with the product, then they stop purchasing it. When sales fall off enough, it no longer becomes profitable for the company to continue making it.
The Infosec answer, in my opinion, is that it is the responsibility of the security staff to:
1) Know what is on their network
2) Search for vulnerabilities on their network
3) Find solutions for identified weaknesses and present to senior management
4) Put the responsibility for either finding secure solutions for the weaknesses or document and have senior management accept the risk.
5) Start back at #1
So my final answer is that it is the security's staff responsibility to find secure ways of having them on the network, with the ultimate culpability and responsibility residing with senior leadership.
@CISOScottHi Scott, I agree and differ at the same time.
I believe it should be a joint responsibility:
1) Correct the client's including consumers elect to purchase or not to purchase - agreed.
2) Manufacturers should be brought to book - and enforced to reveal the details of their embedded capabilities, their function as per the CCPA SB-327 and ensure they are secure before they leave the factory.
3) Governments, need to get behind this, not only from a privacy perspective, but because the public need to know, not just about the toys, but the very domestic items they purchase and have should have the ability to disable the capability, if they want too as well. They cannot do this easily, if there are no instructions within the manufacturers instructions.
4) The Consumer needs to be made far more aware, and have the right to disable the functionality easily without it being overidden, - they at least have this right - or someone is going to make a killing on screening jackets for SmartTV's or similar attachments.
@Caute_cautim And I agree with everything you just said.
I guess I was hoping that the decreased sales would push the manufacturers to correct their defects, but many will only do so if they are A) forced out of the market by poor sales or B) forced by regulation to make better products.
And your points 3 &4 I could not agree more strongly with. Yes!
However, it appears others have products for screening purposes - but we should not have to go to this extent.
@Caute_cautim the answer will vary with perspective, and also depend on the environment, risk level, and --- last but not least --- awareness.
A company providing services / products in a country with an inefficient legal system & lax regulations will not feel much need to bear any responsibility --- particularly if the impacted entities are individual users.
On the other hand, if the impacted entity is an important customer / has a lot of influence & can potentially impact business, the vendor / provider is more likely to bear the costs of something going wrong.
If I use a product / avail of a service that has risks, should I chose to accept these I would exercise due care / diligence from my side, rather than simply bank on a vendor / provider taking responsibility --- given that I will feel the impact at the end of the day.