NTIA Issues Request for Comments on Policies Related to Cyber Threats Surrounding Internet of Things
On April 6, 2016, National Telecommunications and Information Administration (NTIA) issued a federal notice to request public comment on the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things (IoT). (RFC is here).
Comments are due on May 23, 2016.
NTIA defines IoT broadly to include connection of physical objects, infrastructure, and environments to various identifiers, sensors, networks, and/or computing capability – in essence, any device that gets data and sends instructions to devices and components over the Internet. IoT technology includes your refrigerator, a light bulb (or a light bulb in your refrigerator) if it is connected to the Internet. Until now, it has often seemed as though the focus of IoT product and application development is to provide basic connectivity without addressing any security concerns. Establishing even minimal security, it was thought, was but an unnecessary cost that degrades device performance to boot. But not surprisingly, this approach makes IoT devices more vulnerable to attacks – for example, by permitting a hacker to access sensitive user information by entering a user’s home system through an unsecure IoT device. An unsecure IoT device can provide a gateway by which a hacker can gain significant access to sensitive user information held by an unsuspecting consumer who simply wants his smart phone to control his ceiling fan.
NTIA seeks comment on a wide range of issues related to technology, infrastructure, economics, policy and those implicating international legal and policy considerations. From the standpoint of privacy, the notice seeks comment on ways in which the government should respond and address confidentiality of personal data specific IoT, cybersecurity concerns about IoT, categorization of IoT, different treatment of consumer as opposed to commercial or industrial data, as well as comments related to disproportionate economic equity and the impact on disadvantaged communities.
In the best cases, government regulation could promote consumer privacy and security safeguards. Industry standard setting organizations might lead to standardization of basic protocols including security authentication. Many IoT devices today do not have even basic-password authentication. A smart home security system may be tied to the home’s original owner and changing to security protocols to new homeowner (or renters) could be cumbersome. By establishing a standardized means to address basic issues of security and customer service, IoT devices could promote interoperability between different manufacturers, streamline the practical aspects of unrelated transactions (like home sales) and, in turn, promote faster evolution and use of the technology. This, indeed, appears to be NTIA’s mission in the proceeding.
By promoting IoT and requesting comments on IoT cybersecurity issues, the NTIA IoT proceeding seeks to train the spotlight on what might be the weakest link in the consumer and industrial “security chain:” IoT devices.