IoT Ecosystem Security a Major Challenge Not Easily Solvable, Say Panelists
Securing the IoT ecosystem that will grow to 50 billion interconnected devices in four years won't be easy because innovation is outpacing the regulatory and legislative process, and incentives largely don't exist to encourage consumers and others to better secure devices, panelists said during a Hogan Lovells conference. Just last week, a distributed denial of service (DDoS) internet attack against DynDNS knocked out service for several popular websites (see 1610240047).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
In the attack, FCC Enforcement Bureau Chief Travis LeBlanc said Tuesday, users who had cameras continued to use them and noticed nothing out of the ordinary with no interruption to ISPs' network performance. These three key actors -- users, ISPs and even device manufacturers -- "don't have huge incentives or necessarily notice the issue as it's ongoing at the time," he said, so there needs to be something done to motivate them to better secure the IoT ecosystem. He said the IoT existed 13 years ago when 500 million devices were connected -- and still are -- making it challenging to address security for older devices and those no longer supported by manufacturers.
Within government, LeBlanc said many agencies -- including the FCC, FTC, National Highway Traffic Safety Administration, National Institute of Standards and Technology, NTIA and the White House -- have been active in adopting new privacy and security regulations (see 1610270036) or issuing best practices or guidance for IoT (see 1610190051 and 1501270034). Government also has been partnering closely with industry on these issues, he said.
Austin Carson, aide to House Homeland Security Committee Chairman Michael McCaul, R-Texas, said the focus should be on threats and where they exist, whether in emergency scenarios or health devices, segregating them and addressing each. He said with the recent attacks, there has been a lot more discussion on Capitol Hill. Congress likely will take up the issue next year (see 1610260067) and House Democrats recently said they want a hearing on the DDoS attacks (see 1610310063).
LeBlanc said innovation is moving so quickly that it's outpacing the regulatory system. He said even if government moves quickly, it takes a minimum of seven years from legislation to be introduced to regulators starting to enforce such rules. Even so, such changes likely won't address the landscape of the future and the risk of overregulation could constrain innovation in ways that legislators may not intend, he said. The focus, he added, should be on prevention rather than accountability, which is still important.
Vice President-Regulatory Affairs Julie Kearney said CTA, which will issue a white paper on helping the next administration continue IoT rollout, has been working with NTIA on the issue, and is creating security standards for consumer devices. In "our device and network universe, consumers have to trust us," she said: "If we lose the trust, we’re sunk and there's no business model anymore. The incentives are strong for us to develop voluntary standards and to communicate with consumers about best practices" and other issues.
Center for Democracy and Technology Vice President-Programs and Strategy Lisa Hayes said the industry-convened Broadband Internet Technical Advisory Group will issue a very detailed "plain English" document in two weeks, with suggestions about how industry can help correct problems. Hayes, who said she saw a rough draft of the report, said CDT is exploring a suggestion where every household will have its own home network in which every internet device connects to one small network device that can control privacy and security settings and check for malware, for example.
Former FTC Commissioner Julie Brill, now a Hogan Lovells attorney, said privacy remains a regulatory and reputational risk for connected devices. One issue is how to present notice and choice to consumers for information that will be collected and shared, since many devices don't have screens. QR codes, interactive dashboards or a command center, which can run multiple devices and provides a centralized interface, are solutions, she said. Data minimization techniques and de-identified practices are other methods to consider, she said. Adam Thierer, senior research fellow at George Mason University's Mercatus Center, said there should be a "multifaceted, layered approach" with many options to address the notice and choice challenge.
Maneesha Mithal, associate director in the Privacy and Identity Protection Division, said for enforcement, the FTC is looking at health, general security and end-of-life support for devices by companies. On that last issue, she said the commission brought action against a company that ended support for its product after a short time, and that was resolved when it issued full refunds to consumers who bought the product.
Experts at another panel agreed that a mixture of low-, mid- and high-range bands, plus unlicensed and licensed frequencies, are needed to address IoT spectrum demands. Renee Gregory, White House Office of Science and Technology Policy senior policy adviser, said government is working to make more efficient use of such bands coupled with flexible policies. Derek Khlopin, NTIA senior adviser for spectrum, said spectrum repurposing is going to be on the agenda regardless who's in the White House next year.