IoT security: not ripe for regulation

Media reports regularly offer frightening stories about security vulnerabilities in the emerging “Internet of Things,” from the hack of a Jeep to the specter of bad guys accessing “smart homes” or exploiting industrial IoT to compromise utilities.

Not surprisingly, regulators are focusing on security, both in industry verticals (think medical devices and cars) and more generally.  The Federal Trade Commission identified cybersecurity issues related to consumer-facing IoT, and proposed possible best practices.  The White House, through the National Telecommunications and Information Administration, is asking for input by May 23 on various aspects of IoT, including cybersecurity concerns and whether IoT security is somehow unique.  Congress is looking closely at IoT as well, wary of regulation but concerned about consumers.

{mosads}As a general matter, cybersecurity for IoT is a poor fit for prescriptive regulation – as the FCC Chairman said last year, “[t]he pace of innovation on the Internet is much, much faster than the pace of a notice-and-comment rulemaking.” So much remains uncertain about IoT use cases, consumer demand, device and application supply chains, and the 5G wireless networks that will support them.  Trying to codify any approach, standard or best practice in the Code of Federal Regulations guarantees near-instant obsolescence.

Policymakers should be vigilant but, in the words of one FTC Commissioner, exercise “regulatory humility.” Regulation threatens to lock in technology, prematurely predict consumer preferences, and stymie efforts to innovate and ensure global harmonization. 

Luckily, collaboration between industry experts and standards groups is robust and productive.  An alphabet soup of domestic and international groups are examining security in the next generation of connected devices and services.  The National Institute of Standards and Technology has a Communications Technology Laboratory examining security in IoT and 5G networks. Groups as varied as the International Standards Organization, Underwriters Laboratory, ATIS, IEEE, and 3rd Generation Partnership Project (3GPP), to name just a few are working the issues collaboratively. And industry groups are not waiting for regulation either, choosing to develop best practices, such as the Auto Alliance developing a “Framework for Automotive Cybersecurity Best Practices” and the Online Trust Alliance releasing its “IoT Trust Framework.” It is an understatement to say, as a federal advisory group recently did, that “[t]here are numerous efforts underway to enhance” IoT security “within multiple standards organizations.”

Where government’s role is most appropriate and impactful is in the commitment of federal and state investments and actions necessary to upgrade and remove regulatory barriers to modernizing infrastructure – the highway system, mass transit, smart grid, telecommunications networks, government services and other utilities upon which IoT will depend for innovation and growth.  Otherwise, the United States should continue to lead by example, and carefully weigh the costs and benefits of premature intervention.  As the federal regulatory apparatus turns its gaze to “the next big thing,” it should check its natural inclination to micromanage, and defer to the market and technology to lead the way.

Megan Brown, a partner at Wiley Rein, works on technology law and emerging federal policy in cybersecurity and privacy. She counsels technology companies on complex cybersecurity obligations and the NIST Cybersecurity Framework, and previously served in the U.S. Department of Justice, as counsel to Attorneys General Michael B. Mukasey and Alberto R. Gonzales. 

Greg Garcia leads McBee Strategic’s cybersecurity policy practice, and previously served as the nation’s first Assistant Secretary for Cyber Security and Communications at the U.S. Department of Homeland Security from 2006-2008, where he led the National Cyber Security Division, the National Communications System, and the Office of Emergency Communications.