November 1, 2016–The development of robust security for Internet of things devices and the networks that connect them may be impacted by misaligned incentives between IoT device makers and owners, panelists at the 2016 Winnik International Telecoms and Internet Forum said today. Travis LeBlanc, chief of the FCC’s Enforcement Bureau, noted during a panel discussion that IoT camera devices hijacked by botnet operators and used to perpetrate distributed denial of service (DDOS) attacks launched last (TRDaily, Oct. 21) against Dyn – a firm that provides domain name systems hosting – remained operational for their owners despite being used by botnets to conduct the attacks. Likewise, he said, it did not appear that Internet service providers were harmed by the attacks.
In light of that, “we have to figure out how to incentivize” device owners and service providers to cooperate more fully on improving IoT security and “align the incentives” of all parties, he said. Noting estimates that the number of IoT devices will grow to 50 billion worldwide by 2020 – from an estimate of about 500 million devices 13 years ago – Mr. LeBlanc said that even though IoT security improvements can be expected as the technology proliferates, “the challenge is the 500 million devices that we had 13 years ago are still out there” with substandard security protections.
In addition to dealing with legacy IoT devices that have poor security features, he noted that the “vast majority” of small businesses in the U.S., and most businesses overseas, “don’t have a dedicated network” so that IoT devices will not be afforded the generally better security protections of large enterprise networks.
“We all agree that IoT is a good thing,” said panelist Lisa Hayes, vice president-programs and strategy at the Center for Democracy and Technology, “but we are focused on how to protect the user” particularly in the area of medical devices and other vital applications where security updates and patching may not be automatically accomplished.
“Security starts at the device,” said Julie Kearney, VP-regulatory affairs at the Consumer Technology Association, who recommended that consumers purchase “reputable” devices. “The incentives are strong for us to develop best practices for security,” Ms. Kearney said. “If we lose consumer trust, we are sunk,” she added.
Asked what federal policymakers could do to address IoT security problems, Austin Carson, legislative director for House Homeland Security Committee Chairman Michael McCaul (R., Texas), said that short of replacing “massive amounts of infrastructure,” the “boundaries” of IoT security issues need to be better defined and separated to figure out “how to deal with them.”
Mr. LeBlanc said the federal government needs to work “to get industry to embrace and adopt best practices” to improve IoT security, but added that the scope of the problem is international and that “it will take a lot of years and a lot of actors” to achieve widespread security improvements.
Mr. Carson offered no forecast for congressional action on IoT security issues in the near term, but said it was possible that a large-scale security breach with “consumer-facing” implications could spur congressional action.
“The problem is that innovation . . . is outpacing the regulatory system we have set up,” said Mr. LeBlanc, who estimated that it could take up to seven years for legislation to be passed by Congress, implemented by federal agencies, and tested through court challenges. He said he feared that in reaction to a large-scale IoT security failure, Congress and the federal government could retreat from current policy that aims at “light touch” security regulation to more onerous action that could “clamp down” on innovation.
Despite the somewhat cloudy view of IoT security development going forward, Mr. LeBlanc ticked off efforts in recent years by the White House, Congress, and numerous government agencies, including the FCC, to address cybersecurity issues through educational efforts, creation of best practices, and partnerships with the private sector. “The federal government has been doing a lot in this space,” he said, adding, “it’s clear this isn’t a new issue to government.”
Ms. Kearney said CTA was planning to issue a white paper study on IoT security in mid-November, and Ms. Hayes said the Broadband Internet Technical Advisory Group plans to issue its own IoT security report in about two weeks. In previewing a draft of the BITAG report, Ms. Hayes said the document may suggest that every home have its own network as way to improve the security of devices used within the home. – John Curran, firstname.lastname@example.org