Regulating, securing IoT market remains a work in progress

Internet of Things_man with globe and dollars 

There's a global race to regulate smart devices, but how to do so remains elusive.

A 2017 report by Gartner estimated that there were approximately 8.4 billion connected "things" in 2017, and the firm expects that number to balloon to 20.4 billion by 2020. That includes everything from smart buildings and Internet-connected cars to cheaper, less sophisticated devices like baby monitors.

In addition, hackers have increasingly focused on weaponizing vulnerable IoT devices, building botnets that can be used to conduct devastating Dedicated Denial of Service (DDoS) attacks or mine cryptocurrencies.

As a result, governments, manufacturers, information security organizations and trade associations all have an incentive to collectively raise the security standard of the nascent IoT market.

How to do so effectively, both inside and outside government, remains a challenge.

The National Telecommunications and Information Administration released a draft report to the President on combatting botnets, which are often largely powered by IoT devices. It called on the federal government to "lead by example" and "creat[e] market incentives for early adopters" to meet baseline security standards through the federal procurement process.

At a Jan. 25 cybersecurity event, officials from government and industry addressed the dilemma of providing security for users without hampering innovation by industry.

Chris Boyer, assistant vice president of global public policy at AT&T, told FCW he also thinks it's too early to start heavily regulating the IoT market, but argued that the United States needs to be at the forefront of the international standards process. If not, other nations will set the table.

"China wants their own certification, Japan does [too], it's all over the map,
said Boyer, who is also chairman of the Information Security and Privacy Advisory Board at the National Institute of Standards and Technology. "The EU -- they already have a law requiring certification. They're going to have their own standards and tests probably by the end of the year, so we don't have a lot of time to wait."

Evelyn Remaley, deputy associate administrator for the office of policy development and analysis at NTIA, told FCW that a 2017 green paper on fostering IoT development will be revisited this year, but she doesn't the paper's conclusion that the IoT market is still too young to regulate without affecting innovation to change.

John Miller, vice president of global policy, law, cybersecurity and privacy at the Information Technology Industry Council, said many of the legislative proposals floated by Congress haven't passed muster, defining IoT devices in an overly broad way.

"If you want to address IoT security, you can't define what you're trying to regulate as everything that can plug into the internet, which can include everything from major industrial control systems to iPhones to connected automobiles and critical infrastructure systems," said Miller.

In addition to regulating the broader commercial market, some lawmakers are also looking to specifically protect federal agencies from rogue or compromised devices. Rep. Robyn Kelly (D-Ill.) introduced a bill in October 2017 that would tighten standards for connected devices purchased by the federal government, establish a new Emerging Technologies Advisory board and "bake security into the procurement process" for IoT devices.

Another bill introduced by Sens. Mark Warner (D-Va.), Cory Gardner (R-Colo.) and Steve Daines (R-Mont.) in August 2017 that would require connected devices purchased by the government to be patchable and ban devices with hard-coded passwords.

AT&T's Boyer favors a new NIST framework for IoT, similar to the process that led to the cybersecurity framework, that is designed to set broad guidelines for security across different silos without creating a cumbersome one-size-fits-all approach. That would allow government bodies like the Federal Trade Commission to map their "reasonable standard" to impose liability on companies that clearly fall short.

"You can have a high-level general framework that says here are things you should be thinking about as you're developing IoT products, here's the very basic set of controls you should put in place that apply across any silo, and then the individual verticals -- cars or healthcare -- can do a little bit more of a drilldown for their specific industry," said Boyer.

Tom McDermott, deputy assistant secretary for cyber policy at the Department of Homeland Security, told attendees that after initially falling prey to the typical turf battles, the agency realized it would need to do a better job engaging with both other agencies and the private sector to tackle issues like IoT security.

"Government across the board has come to realize and accept the fact that cybersecurity is too complicated a problem for any one agency or entity to try to solve," he said. "I think across the board we are not perfect. I would not give us an A on this, but I think it's a strong B with a trend line in the right direction in terms of coordinating our activity."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.