Congress Likely to Explore IoT Cybersecurity Next Year, Lobbyists Say
The distributed denial of service attacks that DynDNS experienced last week have drawn congressional scrutiny in recent days, and Congress is likely to address the attacks as part of a large examination of the security of IoT-connected devices, said industry executives and lobbyists in interviews. The attacks against Dyn caused outages and latency for multiple major U.S. websites, including Netflix and Twitter (see 1610210056). House Commerce Committee Chairman Fred Upton, R-Mich., and Senate Cybersecurity Caucus Co-Chairman Sen. Mark Warner, D-Va., are among lawmakers who raised concerns about the DDoS attacks (see 1610240038 and 1610250035).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
IoT security is a policy issue that’s “ripe for discussion,” but Congress is unlikely to substantively address it before the start of the 115th session in January simply because of the limited amount of time left in the legislative calendar after the election, said Internet Security Alliance President Larry Clinton. “That’s probably a good thing” because it reduces the likelihood Congress will have a “knee-jerk reaction” to the Dyn attacks, Clinton said. “A knee-jerk response to a particular attack isn’t a wise way to make policy,” he said. “This is a systemic issue that is coming with the age of digitization. Those of us in the field have been saying for years that this is coming and we need to engage policymakers in a sophisticated conversation around this.”
Congress will need to grapple next year with whether it believes regulations are needed to address lax or sometimes nonexistent security in some connected devices, said Shane Tews, visiting fellow at the American Enterprise Institute’s Center for Internet, Communications and Technology Policy. “A lot of these devices don’t even come password-protected and that’s going to be an issue in the next Congress.” The issue is particularly relevant when examining the least-expensive versions of IoT devices, which are the least likely to have embedded security measures, Tews said.
A Capitol Hill debate over IoT cybersecurity “needs to evolve to focus on which end of IoT to focus on,” said Norma Krayem, Holland & Knight cybersecurity policy expert. “There has been a massive drive to create and build products connected to IoT, but if security is an afterthought, then that’s a huge problem.” Warner’s initial focus on IoT cybersecurity focused on the role of ISPs, but the focus “needs to start with device manufacturers,” Krayem said: “They can’t be connecting these devices to the internet and not expect there’s going to be a risk” of attacks like the ones Dyn experienced. The cyber risk to IoT has been well known, but the Dyn attacks demonstrated that risk, a cybersecurity lobbyist told us. “That’s not the first thing you think of when you’re building a baby monitor.”
The core issue in any Hill discussion on IoT cybersecurity “is that we need to be addressing the economics of these IoT devices while we also address the technical issues involved,” Clinton said: Increasing the security for IoT devices could vary substantially depending on whether the device in question is a connected car or a baby monitor. The economics issues involved in cybersecurity also raise competition issues, Clinton said. “It’s more complicated when you begin to understand these issues in the full and robust nature that is their reality.”
It’s not immediately clear which federal agency would be best suited to regulate on IoT security, though it’s possible that sector-specific agencies like the FCC could take the helm, Tews said. Some federal agencies have begun to address IoT cybersecurity, most notably the Department of Commerce through an NTIA-led multistakeholder process, Clinton said. The NTIA multistakeholder, which began before the Dyn attacks, aims to develop a set of definitions for security upgradability for consumer IoT devices (see 1609160048 and 1610190051). That NTIA and other agencies are examining IoT cybersecurity “more as systemic issues than as technical flaw issues is encouraging,” Clinton said. Congress should work in tandem with federal agencies and the private sector on a “collaborative approach” to IoT cybersecurity, Krayem said.
CTA President Gary Shapiro urged Warner and others in the federal government Tuesday not to immediately seek a regulatory solution to IoT cybersecurity and instead allow the private sector to develop voluntary “certification program” and best practices. “CTA is working with our member companies -- among the key players in the future of the IoT and its evolution -- on multiple programs across tech market categories including self-driving vehicles, health and wellness devices, and smart home technology,” Shapiro said in a statement. “As with any immense opportunity, there are risks involved -- in this case, bad actors who in the name of chaos or blackmail disrupt the communication and connectivity we all depend on. But we must not let these cybercriminals hinder innovation and the countless ways in which technology is changing our lives for the better.”