DEPARTMENT OF COMPUTER SCIENCE, UNIVERSITY OF JOS,
DSC 029: COMPUTER AND SOCIETY
INSTRUCTION: ANSWER ALL QUESTIONS
(1) Explain the following
(i) Computer
(ii) Computer Professionals
(b) List five roles of computer professionals
(c) List three responsibilities of a computer professional and explain them.
(2) Explain what you understand from the following Ethical terms?
(i) Ethically Obligatory
(ii) Ethically Prohibited
(iii) Ethically Acceptable
(iv) Negative Rights/liberties
(v) Positive Rights/claim-rights
(b) Discuss two Legal issues associated with public access to information.
(c) Explain with the aid of an example what you understand by Copyright?
(3) Please read carefully the case study below and answer the following questions.
(a) What is the meaning of the following?
(i) IoT
(ii) VDP
(b) Discuss the security issues associated with IoT devices.
(c) UK’s proposed legislation mandates IoT device makers to comply to top three security requirements.
What are these three requirements?
(d) Discuss from this case study what you understand by the term California’s SB-327.
(e) From this case study, when should security measures need to be built into smart products?
(f) Discuss the issues with the California law on Internet-connected or smart devices that goes into effect
in 2020.
1
� Case Study One
It's time to legislate security for consumer IoT devices
Security of the Internet of Things (IoT) — from televisions to refrigerators — is making
headlines across the Atlantic, and it should be of great concern here at home. New IoT security
legislation is being proposed by the UK government to better secure the hundreds of thousands
of devices — beyond just smartphones and laptops — that consumers have connected to the
Internet. The proposed legislation has the potential to impact the security of devices made across
the world in order to meet the UK’s future standards. That’s important, because as an industry
IoT has prioritized new features and functionality over protecting consumers’ security when
bringing new products to market. The legislation that is working its way towards law in the UK
should be a model for any proposed U.S. legislation on IoT security.
While California’s IoT security law SB-327 banned the use of default passwords, which expose
consumers to risk, on IoT devices, nothing else has really been done to address the IoT industry’s
widespread security issues. Manufacturers often still fail to provide software and security
updates to devices throughout their products’ complete lifecycles. There are generally no means
to report security vulnerabilities when they are found. No proper labeling system exists to inform
consumers about the security of their IoT device. All are causes for ongoing concern as they put
consumers at continued risk.
The UK’s proposed legislation mandates that IoT device makers comply with the top three
security requirements that are set out in the UK’s recently published ‘Secure by Design’ Code of
Practice for Consumer IoT Security. It is very likely that these requirements will be incorporated
into a new labeling system that will show consumers the level of security of the connected
devices they purchase.
These proposed requirements include:
IoT device passwords that must be unique and not resettable to any universal factory
setting
Requiring manufacturers of IoT products to provide a public point of contact as part of a
vulnerability disclosure policy
Mandating that manufacturers explicitly state the minimum length of time for which a
device will receive security updates through an end of life policy
These requirements should be the foundation of any proposed legislation in the U.S. on the IoT
front. Here’s why:
They directly address IoT manufacturers’ existing security weaknesses while shifting
responsibility for security to the IoT manufacturer — where it should be — and away from the
consumers who currently bear that burden.
The Code of Practice also addresses a very important security best practice — vulnerability
disclosure. No software is perfect, and IoT device manufacturers have completely lagged on
2
�developing a proper channel to identify and resolve security vulnerabilities in their software
throughout the duration of the product life-cycle. The Code of Practice specifically recommends
that manufacturers and industry stakeholders need to improve the security of their products by
developing a Vulnerability Disclosure Policy (VDP) or a means to report those vulnerabilities.
Establishing a channel to disclose software vulnerabilities in a smart device is a huge step
towards increasing consumer IoT security. A VDP essentially provides a means for anyone to
contact an organization to report a vulnerability as well as clear guidelines on how to do so.
VDPs are fairly straightforward, easy and cost effective to implement. The experience of the
teenager who found the Apple FaceTime bug earlier this year highlights the importance of
having a such a policy.
California became a vanguard in the security space last year by passing a law (Senate Bill 327)
mandating that any maker of an Internet-connected, or smart device ensures the gadget has
‘reasonable’ security features which ‘protects the device and any information contained therein
from unauthorized access, destruction, use, modification, or disclosure.’ Part of what is
considered ‘reasonable’ is banning default passwords in connected devices as each device sold in
California must come with a password ‘unique to each device.’ The law goes into effect in 2020
but has been criticized for not going far enough. California should also consider adopting the two
other requirements from the UK. As opposed to other situations where waiting for a court to
determine ‘reasonableness’ may be appropriate, California should not wait here. IoT breaches
can be physically dangerous and result in tremendous economic harm.
Conversations are just starting to take place regarding standards for IoT security in the U.S. at
the federal level. Lawmakers and witnesses in front of the U.S. Senate Committee on Commerce,
Science and Transportation’s Subcommittee on Security recently debated about how to make IoT
devices safer and more transparent for consumers. Cybersecurity experts stated that federal
legislation should require basic security standards, like California’s SB-327 does, and also
recommended that the federal government and the private sector collaborate on developing an
IoT security certification seal similar to the ‘Energy Star’ on energy efficient products. This
would be a very good move. In fact, the U.K.’s proposed labeling system has been well received
with overwhelming public support.
IoT legislation in the U.S. is following the piecemeal path of data breach privacy policy, in
which only limited laws protecting consumers have been introduced.
IoT is an area in which the risk of data breaches is so high, and the impact of them is so great,
that requiring labels for one state and not the others makes no sense. It is important to have the
right security standards mandated by law at the federal level, standardizing security for all
consumer IoT devices. This is exactly what the U.K. is doing. Both the U.S. and the State of
California should follow the UK’s footsteps and not wait for a court to determine what is
reasonable for consumer IoT product safety.
Security measures need to be built into smart products right from the get-go, not after the fact,
and consumer safety should not be sacrificed in exchange for performance or being first to
market.
