IoT's Dynamic Cybersecurity Demands Require 'Light Touch' Rules, AEI Panel Says

Speaking alongside other panelists at a Capitol Hill luncheon briefing earlier this month, Sen. Ed Markey (D-Mass.) reiterated his concern that IoT stands for "Internet of Threats."

Rep. Ted Lieu (D-Calif.) insisted that consumers should know a so-called smart device can be hacked after they install it at home, but that government protections should have a "very light touch."

Chris Calabrese, VP-policy at the Center for Democracy and Technology, emphasized that the approval seal proposed in the Markey-Lieu Cyber Shield legislation is merely a way "to figure out if we can trust these devices."

And they all acknowledged that any such law will have to be dynamic because of the rapidly changing factors in the Internet of Things.

Shane Tewes, a visiting fellow at the American Enterprise Institute, organized and moderated the "Securing the Internet of Things" seminar Feb. 14. She characterized it as a good way "to get people's attention" even though some parties "are not going to be happy about it." In particular, she told Multichannel News after the event, manufacturers "don't want to put this in a box and get sued."

"You have to find the middle ground," Tewes said, adding quickly that AEI is not endorsing the legislation, but rather acknowledging that "something is going to happen" and the group doesn't want to "shy away" from the process.

Although it was unusual for a right-leaning think-tank such as AEI to showcase legislation by two liberal Democrats, the event hit a topic of interest to cable operators and other carriers as well as equipment makers -- all of whom are concerned about the assigned liability if home IoT devices are hacked. Markey is a member of the Senate Commerce Committee and its subcommittees handling communications and consumer protection. Lieu sits on the House Judiciary Committee. They introduced the Cyber Shield Act of 2017 (S.2020 and H.R.4163) in October.

Their proposal calls for a voluntary cybersecurity program for the Internet of Things, with input from a public/industry/academic advisory committee; one objective is to create product labels (physical or digital) that identify IoT devices that meet strong cybersecurity standards. The seal would show consumers that devices -- ranging from baby monitors to phones, laptops and other networked items -- are safe from intrusions. The voluntary self-certification program in the legislation would put the program into the Department of Commerce, also home of the National Institute of Standards and Technology and the National Telecommunications and Information Administration.

Dangers and Dynamic Solutions
Markey, in his opening remarks at the AEI session, warned, "We're here to talk about the sinister side of cyberspace: the harm that can be inflicted."

He emphasized that every IoT device is "something that can be compromised ... in ways that people don't think about but they should." He said the Cyber Shield "seal" would "enable consumers to make informed decisions" when they buy and install devices on a home network and "reward businesses that offer best practices." In the process, the legislation would "create a roadmap of improvements for manufacturers and their devices," Markey added.

Lieu concentrated on the "living, breathing process which would change over time as tech continues to change."

"The reason we're not very specific in this statute is [because] when it comes to technology, government should have a very light touch," Lieu added, emphasizing his expectation that that industry will "self-regulate." He explained that the voluntary program established by the proposed legislation would rely on a commission of diverse experts to set standards.

Industry-wide self-regulating standards, however, became the first matter addressed during a follow-on panel.

"We haven't seen a lot of coordination behind the standard," said CDT's Calabrese. "A lot of private entities have tried to put out standards, and the result has been a jumble."

Nonetheless, he agreed that certification of some sort is valuable "to figure out if we can trust these devices." He cited the recent BITAG report on technical aspects of IoT security and privacy as a model for such cross-industry collaboration. (The Broadband Internet Technical Advisory Group's members include Comcast, Charter, AT&T, Dish Network, Cisco, CableLabs, NCTA and Level 3.)

Rena Mears, head of consulting at DLA Piper law firm, pointed to the role of communications companies as devices are added to home networks.

"The level of data sharing is immense and going to get bigger," she said. "The risk with IoT is that each individual product is so small ... but taken together, it is immense." That will lead to "supply chain issues" which will put the burden "back to industry," Mears added.

"Even in an organized system, it's hard to find where the vulnerability or breach is," she said, stressing that liability "sits thick and heavy" in complex networks, such as IoT relationships.

"When I look at a home that has become a platform, and I look at the immense possibilities for IoT," Mears said, she envisions both values and dangers.

She called the ecosystem for IoT liabilities "just mind-boggling."

"There will have to be some set of rules that apply at some broader level rather than the traditional way of [managing] every little piece," Mears said.

Robert Stein, VP-government and regulatory affairs at InterDigital, a research and development company that provides wireless technologies for mobile devices, networks and services, acknowledged that, "We haven't thought that far ahead about who oversees" the integration of IoT connections.

The panel agreed that the Cyber Shield legislation is forcing the industry to examine specifics about digital security. Beyond the integrated role for carriers and hardware providers, there are "complicated realities" such as locked passwords. If a manufacturer installs a digital lock that a consumer cannot update, they wondered how it would affect the future interoperability with other home devices -- especially if a device is compromised or discarded.

The discussion echoed an early remark by Calabrese, who characterized the proposed legislation as an interim measure.

"No one should mistake it for a solution," he said.

Pictured (from left): Chris Calabrese, Rena Mears and Robert Stein, panelists at AEI's IoT security briefing Feb. 14.

Gary Arlen

Contributor Gary Arlen is known for his insights into the convergence of media, telecom, content and technology. Gary was founder/editor/publisher of Interactivity Report, TeleServices Report and other influential newsletters; he was the longtime “curmudgeon” columnist for Multichannel News as well as a regular contributor to AdMap, Washington Technology and Telecommunications Reports. He writes regularly about trends and media/marketing for the Consumer Technology Association's i3 magazine plus several blogs. Gary has taught media-focused courses on the adjunct faculties at George Mason University and American University and has guest-lectured at MIT, Harvard, UCLA, University of Southern California and Northwestern University and at countless media, marketing and technology industry events. As President of Arlen Communications LLC, he has provided analyses about the development of applications and services for entertainment, marketing and e-commerce.