Senators and panelists across government and industry came to agreements, but also butted heads, about steps to take in strengthening Internet of Things (IoT) cybersecurity at an April 30 Senate Commerce, Science, and Transportation Security Subcommittee hearing.
Disparities in opinions and challenges in creating IoT regulations – which senators brought into the contexts of data privacy legislation, giving consumers clear information on IoT device security, private-public partnerships, and leading the global effort in IoT security – underscored the complicated process and road ahead in establishing effective legislation and strategies to regulate IoT cybersecurity.
Director of the National Institute of Standards and Technology (NIST) IT Lab Charles Romine spoke about the cybersecurity framework NIST developed through private-public collaboration, adding that the guidelines have had international reach in providing guidance in cybersecurity efforts. He said NIST has been working in a similar manner to address IoT security, and he expects guidelines that NIST and its partners establish will have a similar global impact.
Although senators and all of the panelists spoke in favor of NIST’s effort to create a Federal IoT security standard and the private-public partnership in pioneering those provisions, they lacked consensus about other issues, like how to pursue informing the public about the quality of IoT device security.
Ranking Member Sen. Ed Markey, D-Mass., for example, mentioned his Cyber Shield legislation, which looks to mandate labeling of IoT device security standard ratings, similar to Energy Star ratings for appliances or nutritional labels on food.
But U.S. Telecom Senior Vice President for Cybersecurity Robert Mayer, Chamber of Commerce Vice President of Cybersecurity Policy Matthew Eggers, and Consumer Technology Association (CTA) Vice President of Technology and Standards Michael Bergman argued that cybersecurity isn’t as easy to label or rank as energy because of its complicated and evolving nature.
“We have to be careful that we don’t create a false sense of confidence by putting a label out there that may not be able to maintain its currency,” Mayer said. “As we move towards AI, big data, 5G in terms of connectivity – and we’re moving there quickly – we’re going to have to understand that there’s going to be a requirement for a different level of effort to protect and secure those devices.”
Rapid 7 Vice Public Policy Director Harley Geiger, however, argued that Congress should facilitate programs that help consumers better identify secure IoT devices.
Geiger added that the senators should pursue legislation that would support enforcing agency actions on IoT security and security research, as well as data security legislation, as key steps toward bolstering nationwide IoT security. He also said that making standards mandatory rather than voluntary is critical – a point that other panelists like Mayer disagreed with.
“Voluntary guidance, we think alone, will not work,” Geiger said. “We hear from some of the companies here today or associations here talking about the baseline for IoT security. We think that that’s great and is very fruitful work and should be a factor into what is considered reasonable for security of personal information. The point is that there has to be some sort of enforcement mechanism behind it to prompt adoption.”
Regardless of the legislation the committee pursues, NIST, in partnership with industry, will set the baseline for standard IoT security guidelines next, and those efforts will see support if Congress moves forward with the IoT Cybersecurity Improvement Act. Even if the hearing did not yield completely concurring ideas or policy, all agreed that setting security standards soon, especially with IoT device ubiquity on the rise, is critical.
“Unsecure IoT devices will be like the new asbestos,” Geiger said. “We will build them into our environments only to rip them back out years later and wonder why our predecessors did not have the forethought to ensure basic security from the start.”