Regulating, securing IoT market remains a work in progress

There's a global race to regulate smart devices, but how to do so remains elusive.

A 2017 report by Gartner estimated that there were approximately 8.4 billion connected "things" in 2017, and the firm expects that number to balloon to 20.4 billion by 2020. That includes everything from smart buildings and Internet-connected cars to cheaper, less sophisticated devices like baby monitors.

In addition, hackers have increasingly focused on weaponizing vulnerable IoT devices, building botnets that can be used to conduct devastating Dedicated Denial of Service (DDoS) attacks or mine cryptocurrencies.

As a result, governments, manufacturers, information security organizations and trade associations all have an incentive to collectively raise the security standard of the nascent IoT market.

How to do so effectively, both inside and outside government, remains a challenge.

The National Telecommunications and Information Administration released a draft report to the President on combatting botnets, which are often largely powered by IoT devices. It called on the federal government to "lead by example" and "creat[e] market incentives for early adopters" to meet baseline security standards through the federal procurement process.

At a Jan. 25 cybersecurity event, officials from government and industry addressed the dilemma of providing security for users without hampering innovation by industry.

Chris Boyer, assistant vice president of global public policy at AT&T, told FCW he also thinks it's too early to start heavily regulating the IoT market, but argued that the United States needs to be at the forefront of the international standards process. If not, other nations will set the table.

"China wants their own certification, Japan does [too], it's all over the map,
said Boyer, who is also chairman of the Information Security and Privacy Advisory Board at the National Institute of Standards and Technology. "The EU -- they already have a law requiring certification. They're going to have their own standards and tests probably by the end of the year, so we don't have a lot of time to wait."

Evelyn Remaley, deputy associate administrator for the office of policy development and analysis at NTIA, told FCW that a 2017 green paper on fostering IoT development will be revisited this year, but she doesn't the paper's conclusion that the IoT market is still too young to regulate without affecting innovation to change.

John Miller, vice president of global policy, law, cybersecurity and privacy at the Information Technology Industry Council, said many of the legislative proposals floated by Congress haven't passed muster, defining IoT devices in an overly broad way.

"If you want to address IoT security, you can't define what you're trying to regulate as everything that can plug into the internet, which can include everything from major industrial control systems to iPhones to connected automobiles and critical infrastructure systems," said Miller.

In addition to regulating the broader commercial market, some lawmakers are also looking to specifically protect federal agencies from rogue or compromised devices. Rep. Robyn Kelly (D-Ill.) introduced a bill in October 2017 that would tighten standards for connected devices purchased by the federal government, establish a new Emerging Technologies Advisory board and "bake security into the procurement process" for IoT devices.

Another bill introduced by Sens. Mark Warner (D-Va.), Cory Gardner (R-Colo.) and Steve Daines (R-Mont.) in August 2017 that would require connected devices purchased by the government to be patchable and ban devices with hard-coded passwords.

AT&T's Boyer favors a new NIST framework for IoT, similar to the process that led to the cybersecurity framework, that is designed to set broad guidelines for security across different silos without creating a cumbersome one-size-fits-all approach. That would allow government bodies like the Federal Trade Commission to map their "reasonable standard" to impose liability on companies that clearly fall short.

"You can have a high-level general framework that says here are things you should be thinking about as you're developing IoT products, here's the very basic set of controls you should put in place that apply across any silo, and then the individual verticals -- cars or healthcare -- can do a little bit more of a drilldown for their specific industry," said Boyer.

Tom McDermott, deputy assistant secretary for cyber policy at the Department of Homeland Security, told attendees that after initially falling prey to the typical turf battles, the agency realized it would need to do a better job engaging with both other agencies and the private sector to tackle issues like IoT security.

"Government across the board has come to realize and accept the fact that cybersecurity is too complicated a problem for any one agency or entity to try to solve," he said. "I think across the board we are not perfect. I would not give us an A on this, but I think it's a strong B with a trend line in the right direction in terms of coordinating our activity."