House Commerce Lawmakers Seek Middle Ground on IoT Devices' Cybersecurity
House Commerce Committee Republicans didn't dismiss the possibility of limited cybersecurity regulation of IoT-connected devices, during a hearing Wednesday. They emphasized that any solution would need private sector leadership. However, experts urged the House Communications and Trade subcommittees to seek a solution in which the federal government plays a leading role in developing IoT security standards, as expected (see 1611150059). The subcommittees scheduled the hearing in response to last month's distributed denial of service attacks against DynDNS (see 1610260067).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“We need to get this right” in the wake of the Dyn attacks, said Communications Chairman Greg Walden, R-Ore. The “knee-jerk reaction might be to regulate” IoT cybersecurity practices, and “while I'm not taking a certain level of regulation off the table, the question is whether we need a more holistic approach” to the problem, he said. “The U.S. cannot regulate the world,” as standards applied to connected devices manufactured or sold in the U.S. “won't necessarily capture” devices made and sold internationally, Walden said. “The vulnerabilities might remain.”
Trade Chairman Michael Burgess, R-Texas, and other House Commerce Republicans echoed Walden's sentiment. Industry stakeholders “must take the lead” in developing standards around IoT cybersecurity given that the federal government doesn't have the capacity to adequately lead on those issues, Burgess said. Congress must strike a “delicate balance between oversight and regulatory flexibility,” with any industry-driven standards protecting consumers while simultaneously not hindering innovation, said Trade Vice Chairman Bob Latta, R-Ohio.
House Communications ranking member Anna Eshoo, D-Calif., said she agrees that the federal government shouldn't “damage” IoT innovation in its quest to solve cybersecurity issues, but “it's something that needs our attention.” Eshoo suggested both including IoT cybersecurity in national infrastructure legislation and the creation of a Good Housekeeping Seal of Approval-style endorsement of connected devices' cybersecurity practices. Trade ranking member Jan Schakowsky, D-Ill., said she believes the FTC and other federal consumer watchdogs “must take a leading role” in pushing for improvements to connected device security, noting that such devices are “uniquely vulnerable” to attacks. “We cannot count on IoT manufacturers to do the right thing on their own,” she said.
Level 3 Chief Security Officer Dale Drew told the subcommittees that the best way to begin to address IoT cybersecurity issues is to develop standards aimed at defining device security protocols. Such standards have never addressed connected device security during manufacture, which would put pressure on manufacturers to improve their practices, Drew said. The Department of Homeland Security and National Institute of Standards and Technology (NIST) released guidance Tuesday for improving products cybersecurity at the design stage, though that guidance doesn't exclusively deal with IoT devices (see 1611160019).
IBM's Resilient Chief Technology Officer Bruce Schneier called for Congress to create a separate agency to handle IoT cybersecurity given the wide range of sectors that connected devices affect. Eshoo said such a proposal is likely “dead in the water” given that Republicans will remain in control in the 115th Congress and President-elect Donald Trump's administration is unlikely to agree to an expansion of regulation. Schneier cited the creation of DHS following the Sept. 11, 2001, attacks as precedent for taking such an approach under a Republican-controlled federal government. Walden emphasized that both parties “are all committed to finding a solution” to address connected devices' vulnerabilities.
Schneier said any IoT cybersecurity standards would need to be “technologically variant” given the wide range of functions that connected devices provide. University of Michigan security researcher Kevin Fu said the federal government would need to play a leading role in fixing IoT cybersecurity, noting that NIST did a “relatively good job” of encoding basic principles into its Cybersecurity Framework. Standards development would still need “buy-in” from the private sector, Fu said.
The hearing reflects that “there are certainly opportunities here” to find a “middle ground” on IoT security, though there will be lawmakers who favor either “hard-line rules” or “don't want to do anything because they worry about over-regulation,” said Information Technology and Innovation Foundation Vice President Daniel Castro in an interview. “There needs to be some kind of balance and increasingly members of Congress are going to recognize that it's not enough to hold off but that they need to do something that's industry-friendly.”
A move toward the public and private sectors jointly drafting IoT cybersecurity standards is “probably a good idea,” but standards development will need to wade into the “really troubling economics of IoT” to be effective, Internet Security Alliance President Larry Clinton told us. “What makes the IoT the IoT is the placing of small computers in consumer devices also creates an entirely different level of security issues because in order to be cost effective, these computers don't have the capacity for security. They can't carry encryption very often and they're not subject to upgrades. Managing them is going to be a real challenge.”
A holistic solution could include encouraging IoT device manufacturers to disclose their security policies much as companies now disclose their privacy policies, Castro said. “The government doesn't necessarily have to dictate the specific mechanisms but if your refrigerator is using authentication or hard-coded passwords, the company can make clear what it's doing,” Castro said. “If they're found to have made those statements falsely, the FTC could take action against them. That will create a market that is much more responsive, as now there's little incentive to do anything.”
IoT security standards development would need to better address incentives than NIST did in developing the Cybersecurity Framework, Clinton said. “You'd probably [be] dealing with the creation of standards” as opposed to the collection of existing standards that was seen in the NIST framework, Clinton said. “What drives the production of these items is the cost efficiency of these small computers. So if you're going to establish a framework that could substantially increase costs, in order to get entities to adopt that framework voluntarily, you're going to need to figure out a way to make up the cost.”
DHS' Communications Sector Coordinating Council believes that although “the benefits of [IoT] are irrefutable, so too are the risks that result from insufficient security in the design, deployment and use of many of these devices,” said Chairwoman Nneka Chiazor in a statement. “We look forward to further collaboration with DHS and other Industry stakeholders in this shared ecosystem to address this challenge.”