President’s Cyber Commission Calls for Fast IoT Action, Consumer Focus
December 5, 2016
Reports to outgoing Presidents rarely have long term policy impact. But as the new President’s cyber priorities take shape, last Friday's Report of the Commission on Enhancing National Cybersecurity may set expectations. The Internet of Things (“IoT”) features prominently in the 100 page Report, and today’s blog highlights the Commission’s perspective on IoT.
The Commission observes that “IoT devices can be significant weak links in our global networks, easily weaponized to deliver destructive and destabilizing attacks.” It states that “[t]he United States must lead a global push to drive security and secure development concepts into IoT design and development. The hour for doing so is already late.” What would that look like?
Standards, Studies, and Incentives. The Commission suggests agencies and others create “a set of general security principles … and IoT recommendations tailored to specific sectors, applications, and risks.” It calls for an army of federal regulators to launch IoT efforts. Agencies that “currently regulate IoT devices” should model “the National Highway Traffic Safety Administration” and work “immediately with industry to develop voluntary and collaborative guidelines to secure IoT devices.”
The Report calls for numerous guidelines, roadmaps, standards, assessments and studies, ranging from “a comprehensive set of risk-based security standards,” to a study on “how best to improve network security through incentives,” roadmaps for action, and a “standard template” for consumer information.”
IoT liability concerns are addressed. Helpfully, the Commission heard concerns and suggests that “[t]he Department of Justice should lead an interagency study with the Departments of Commerce and Homeland Security and work with the Federal Trade Commission, the Consumer Product Safety Commission, and interested private sector parties to assess the current state of the law with regard to liability for harm caused by faulty IoT devices and provide recommendations within 180 days.”
Consumers are a big focus, with calls for labels and more than one “Bill of Rights.” The Commission recognizes that consumers and end users are key, and makes several recommendations designed to promote user awareness and cyber hygiene for IoT.
The Commission promotes consumer labeling, writing that “an independent organization should develop the equivalent of a cybersecurity “nutritional label” for technology products and services—ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand.” The Commission acknowledges the complexity of this, and avoids whether such a standard label or rating should be mandatory.
The Federal Trade Commission features prominently, with several expected actions, like developing “a standard template for documents that inform consumers of their cybersecurity roles and responsibilities as citizens in the digital economy—along with a “Consumer’s Bill of Rights and Responsibilities for the Digital Age.” In another action item, the Commission calls for “consumer organizations [to] work with industry and the FTC to develop a consumer ‘cybersecurity bill of rights and responsibilities.’”
While the new Administration and Congress can ignore this Report, some of its many observations are likely to appear in agency inquiries, state efforts, and legal papers. It may inspire IoT efforts at agencies, or in the States, and it may be used by consumer groups to advocate for more regulation or promote disclosures.