IoT Security: "I'm From the Government and I'm Here to Help"?

November 16, 2016

Ronald Reagan joked that the most terrifying words in the English language are: "I'm From the Government and I'm Here to Help."  When it comes to security and the Internet of Things (IoT), government wants to be helpful, for better or for worse.  NIST, NTIA, DHS, FTC, FCC, NHTSA and FDA are all looking at IoT.  Congressional IoT interest abounds.  As President-Elect Trump and a new Congress take over, the fate of ongoing activities is unclear, but widespread interest and divergent approaches at DHS (and other agencies) and on the Hill promise future scrutiny.

On one hand, DHS released a reportStrategic Principles for Securing the Internet of Things (IoT), finding it "imperative that government and industry work together, quickly, to ensure the IoT ecosystem is built on a foundation that is trustworthy and secure."  DHS states that the "role of government" is to "provide tools and resources so companies, consumers, and other stakeholders can make informed decisions about IoT security."  DHS offers principles to "motivate and frame conversations about positive measures for IoT security among developers, manufacturers, service providers" and consumers.  These (unsurprising) principles are:

  • Incorporate Security at the Design Phase
  • Promote Security Updates and Vulnerability Management (citing NTIA's Multi-stakeholder Process on Patching and Updating for IoT)
  • Build on Recognized Security Practices (citing the NIST Cybersecurity Framework)
  • Prioritize Security Measures According to Potential Impact
  • Promote Transparency across IoT (including, among other things, vendor risk assessments and a publicly disclosed way to use vulnerability reports)
  • Connect Carefully and Deliberately (targeted at consumers)

DHS offers next steps, including coordination of activities, building awareness of risks, evaluating incentives, and international standards activity. A notable contribution is DHS interest in how "tort liability, cyber insurance, legislation, regulation," voluntary initiatives and other efforts can improve security.  Given recent litigation over aspects of IoT security, the government might help by protecting innovators and companies from class action lawsuits.

On the other hand, some want regulation. Some democratic Hill staff lament that there no federal requirements for security in IoT devices. Some commentators think regulation should force manufacturers to meet minimum security standards: Bruce Schneier from Harvard's Berkman Center will tell a House Subcommittee hearing tomorrow that "the only solution is to regulate. The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers."  Regulation is premature and even agency "guidance" can prejudge technology and stymie innovation.

At bottom, while regulation is exceedingly unlikely in a new Congress and Administration, these sorts of reports provide fodder for agencies struggling with what, if anything, to do about IoT security.  More troubling, States may get in on the action, and class action plaintiffs are looking for the next ubiquitous technology that can provide a basis for litigation.  Innovators must watch these efforts and look for ways the government can help, not hurt.

Categories

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek