Congressional Report Spotlights IoT RisksExperts Offer Analysis of Whether Congress Will Take Any Action
A new report from a bipartisan Congressional working group examining the benefits and challenges of the internet of things spotlights cybersecurity and privacy as top concerns across a variety of industries implementing the emerging technologies.
But the report stops short of making specific recommendations for Congressional action. And several security experts say legislative or regulatory activity in the cybersecurity arena is highly unlikely in the months to come.
"In this political climate, it is my suspicion that any [government] recommendations will be looked at as a burden on commerce and business, and an intrusion by government," says privacy attorney Steven Teppler of the Abbott Law Group. Congress won't take action, he predicts, "until some legislators have problems with interconnected devices and the issues hit home."
The white paper from the IoT working group of the House Energy and Commerce Committee describes findings gathered during five roundtables. The report also outlines initiatives underway outside of Congress - such as the National Institute of Standards and Technologies' guidance for securing interconnected devices - to address IoT security issues
Tackling the Challenges
The IoT working group met with technology experts, key stakeholders and leaders in a number of industries to discuss the benefits and challenges of implementing IoT and the role of the federal government in advancing the new technology, notes a joint statement by the working group's co-chairs, Reps. Bob Latta, R-Ohio, and Peter Welch, D-Vt.
"Privacy and cybersecurity were central topics introduced ... that were regularly discussed throughout the five working group meetings," the report notes. "There was also discussion and debate about the benefit of government mandates, and some participants recommended any government action take a holistic approach but not a one-size-fits-all mandate."
The report concludes: "IoT technology is rapidly evolving and growing in ways that greatly impact the U.S. and global economy, as are the threats associated with this technology."
A spokesman for Latta's office says it's unclear if the working group on IoT will continue in the new Congress because House Energy and Commerce committee members are still being selected. "If the working group continues, the next phase would look at making recommendations. This first step was trying to bring people together" for education about IoT benefits and risks, he says.
The paper refers to a number of best practices recommended by others, including NIST, the National Telecommunications and Information Administration, the Federal Trade Commission, and the Department of Homeland Security.
The goal that roundtable participants and working group members shared "is mitigating cyber risks through a multitude of channels, including but not limited to adopting best practices and basic security measures, software updates, encrypted communication and mutual authentication and authorization," the report notes.
"Depending on the vertical and nature of the device, vulnerabilities will differ; therefore, multifaceted approaches must be taken into consideration," the paper states. "We must encourage continued open dialogue between the federal government and private sector as technology develops."
The working group roundtables examined IoT issues in specific industries, including automotive, energy and healthcare.
For example, in reference to discussions about healthcare IoT, the report notes: "It also became evident that just like every other industry, participants in the healthcare sector view data protection, cybersecurity and privacy as top concerns and priorities. It was recommended by some roundtable participants that the industry continue to work to limit vulnerabilities by developing software and devices with security in mind rather than solely based on functionality."
More to Do
The Congressional report comes as IoT cybersecurity threats grow. For instance, last year, a malware-infected army of 100,000 mostly consumer IoT devices was used to carry out a distributed-denial-of-service attack against domain name server provider Dyn.
While the report does not make specific reference to the Dyn attack, it notes: "Recent examples of cyberattacks on IoT devices have exposed not just the potential impact on individual consumers, but the possible vulnerability on the broader Internet infrastructure."
The report notes that roundtable participants had differing viewpoints on how best to create an environment that promotes IoT while protecting consumers and networks. "They also grappled with whether or not a solution should rely on industry established standards, agency recommendations, legislation or a combination of all the above," the report says. "Although the participants lacked consensus on the best way forward, all agreed that security and privacy issues are critical to address within this emerging technology. Some participants also emphasized that consumers need to do their part to protect data by securing devices through good cyber hygiene practices."
Privacy and security attorney Stephen Wu of the law firm Silicon Valley Law Group says he thinks it's unlikely that the new Congress will call for new regulations related to cybersecurity and privacy.
Still, government agencies could make several moves to help promote the importance of IoT cybersecurity, he contends.
For instance, the Food and Drug Administration, which has issued voluntary guidance for pre-market and post-market cybersecurity of medical devices, could require the device manufacturers to submit to federal regulators disclosures about how the makers implement cybersecurity practices for their products, Wu says.
Regulatory agencies, such as the FTC, could also exercise more muscle when it comes to enforcement actions against manufacturers that are potentially deceptive about the privacy risks or cybersecurity concerns of their products, Wu says. "FTC has authority to stop deceptive or unfair business practices. The problem is that the agency likely would need more funding" to ramp up those enforcement efforts, he says. "And it's not likely they'll get getting extra funding."
Privacy attorney Kirk Nahra of the law firm Wiley Rein notes that IoT covers many "enormously challenging issues."
For example, he notes: "IoT involves areas where personal data is being collected where there has never historically been a collection of personal data - such as connected cars, refrigerators. On top of that you add things like mobile apps and wearables - whether healthcare related or not."
There is a constant tension between convenience and security, Nahra points out. "So we have massive security concerns because of the 'interconnected' nature of all these activities - and some history of large-scale breaches where weak links in these areas get into larger risks," he says. "On the privacy side, this is a gap in our sector-specific regulation so far - many of these areas are simply not regulated today - unless you say something that is false and deceptive, and then the FTC can go after you."
Because the new Congress is unlikely to consider any IoT-related regulations, Nahra says, "the challenge will then fall to the businesses developing these products to be smart and responsible, and for private industry to develop best practices and industry standards to protect both businesses and consumers in these areas."