Industry to government: Hands off IoT security
When it comes to the Internet of Things, the U.S. government should stick to maximizing the availability of spectrum and let industry deal with security, according to technology manufacturers.
The Consumer Technology Association said this week in a white paper that relying on voluntary best practices to ensure the cybersecurity of billions of internet-connected devices would be better for the country and the economy than regulation — no matter how well-intentioned.
“Policymakers should refrain from broad, proscriptive regulatory action that could derail or delay new IoT applications” and stifle the economic and social benefits of innovations like remote health monitoring devices or appliances that can order their own detergent, the white paper states.
“Instead, self-regulatory and other consensus-driven industry efforts will allow stakeholders to address discrete, specialized issues in a practical and flexible manner,” the white paper argues.
The CTA represents more than 2,200 companies — from giants to start-ups — in the $287 billion annual consumer tech market. It rolled out its white paper Thursday ahead of a House hearing at which cybersecurity experts argued the diametrically opposite proposition: That federal regulation was the only way to secure the IoT when there were so few market incentives.
Two massive cyberattacks in recent months — the largest in history — were powered by huge networks of hacked IoT devices, easily compromised by the hundreds of thousands because of poor cybersecurity.
“We are in this sorry and deteriorating state because there is almost no cost to a manufacturer for deploying products with poor cybersecurity to consumers,” Kevin Fu, CEO of Virta Labs and an associate professor of computer science at the University of Michigan told the House Energy and Commerce Committee.
“The market can’t fix this,” added noted technologist Bruce Schneier, because neither buyer nor seller are actually impacted by the consequences of poor security.
“We need more government involvement in the security of the IoT and increased regulation of what are now critical and life-threatening technologies. It’s no longer a question of if, it’s a question of when,” he said.
But the CTA pushed back hard against that notion Thursday, arguing in its white paper that there were too many federal cooks in the regulatory kitchen.
“Fragmentation or divergent and inconsistent regulatory approaches are potentially damaging to the development of IoT and confusing for consumers,” the white paper states, noting that “two dozen separate federal agencies” — from the Food and Drug Administration, through the Federal Trade and Communications Commissions to the National Highway Traffic Safety Administration — have regulatory authorities over some element of IoT.
“The specific laws, rules and regulatory regime(s) that apply to a particular IoT device or application may not always be obvious, and this complex web may be particularly difficult for smaller companies unable to afford counsel for each regime [it has] to navigate,” explains the white paper.
But on the other hand, CTA President Gary Shapiro said in a release, “standard setting and regulatory process should not lie with a single body of the American bureaucracy.”
Shapiro urged the incoming administration of President-elect Donald Trump “to do all that it can to promote innovation in the IoT,” by ensuring that federal agencies free up sufficient spectrum to “ensure entrepreneurs have the resources needed to thrive and create the devices of the future.”
The white paper says the IoT explosion will require, by 2020, a network capacity that is “at least” 1,000 times what’s currently available.
“Congress must continue to support and encourage federal agencies to share, and where possible, clear spectrum,” the paper states.