The Senate Commerce Committee Security Subcommittee hosted the latest in a years-long conversation Tuesday (April 30) about cybersecurity, but with the new impetus of billions of IoT devices, bipartisan support for overall online privacy (and security) legislation, and the growing impatience of Democrats unsatisfied with the current public-private partnership, voluntary efforts, approach toward what one senator called the "Internet of Threats."
Industry witnesses at the hearing, entitled "Strengthening the Cybersecurity of the Internet of Things," were Michael Bergman of the Consumer Technology Association, Matthew Eggers, U.S Chamber of Commerce; Harley Geiger, Rapid7; Robert Mayer, US Telecom – The Broadband Association; Charles Romine, National Institute of Standards and Technology (NIST).
Generally the industry witnesses said that the current track of working with NIST on voluntray baseline standards and labels and certifications, rather than ones imposed by the government, was the way to go. The arguments were that industry was more nimble and flexible to address the constantly evolving changes driven by AI and Big Tech and 5G than federal regs.
Mayer extended that to state efforts as well. He said a patchwork of such cybersecurity regs would add unnecessary complexity, while a voluntary industry effort could adapt and evolve with the threat in as close to real time as was possible. He said that could only happen when policies are "aligned with market dynamics.
Gieger was the exception, saying purely voluntary wasn't enough and government would need to step in in some capacity. The witnesses also pushed back on legislators suggesting that banning Chinese telecoms Huawei and ZTE would be one way to improve cybersecurity.
Geiger said a better approach would be to set baseline standards that would be the quid pro quo for access to the U.S. market. Bergman pointed out that a chip may be developed in one country, fabricated in another, built in another, labeled in another, and sold in yet another.
Eggers said that the chamber wanted to focus on expanding commerce, not slaying dragons. He said a company "blacklist" would be hard to sustain long term. Bergman said that the fastest and best way to get to secure IoT was continuing to work with NIST on voluntary baseline standards--he pointed out that CTA has a long standards-setting track record.
He also pointed to the anti-botnet guide CTA had released and the groups it had convened to weigh in on a consensus approach. Rather than government mandates, he suggested that protecting customers was an already necessary and powerful marketplace incentive that his members were responding to.
Bergman said the keys to IoT security were promoting global harmonization rather than a balkanized approach; harnessing market forces; coming up with a common language so everyone was working off the same playbook, and influencing policy here and abroad, with government's role primarily that of a partner and convener toward the goals of tech consensus, voluntary standards and best practices, and market-driven standards that are scalable.
Republicans generally did not challenge that approach. Subcommittee Chairman Dan Sullivan (R-Alaska), said the hearing was meant to emphasize the value in continue partnership between government and private industry and voluntary and flexible standards, as well as incentivizing cybsersecurity by design in devices and networks.
Bergman and CTA got hammered by some Democrats over that approach, notably Sen. Ed Markey (D-Mass.), though with Republicans in the majority, their regulatory approach is unlikely to win the day, at least in the current Congress.
Singling out CTA, Markey said he had issues with the association talking about technology being complicated and asking for more time back in 1990 when he tried to make sure all TV sets displayed closed captioning, then in 1996 when he wanted a V-chip in every TV, then again in 2010 when he wanted wireless devices to be accessible to the deaf and blind.
Markey said CTA's response was "never today" and not even "soon."
In those cases, said Markey, Congress needed to pass legislation to get it done and he suggested it was the same with insuring cybersecurity in IoT devices. Markey said he thought there would need to be a mandate and a deadline, rather than an "open-ended take home exam." He pointed out he held his first hearing on the "sinister side of cyber" in 1993.
Sen. Richard Blumenthal (D-Conn.) was equally impatient, though he directed his displeasure at industry players in general.
he said his impatience and frustration with the voluntary standards, public-private partnership approach was because he said there was a "tidal wave of anger and alarm" over cybersecurity. Gieger had refused in earlier questioning to label the issue a crisis, but Blumenthal said it, definitely was.
Bergman, when asked if the voluntary approach, though it may moving in the right directions, was moving fast enough. Bergman had said it was the fastest possible and most efficient way to move. Blumenthal said the answer should have been "no."
He pointed to devices that currently transmit information about what kids are saying, when people are awake, when they are using the device, and hacking software on Amazon for $20. There were a number of scare stories relayed during the hearing, including the hackers playing audio porn through a baby monitor and a casino high-roller list hacked using the connected thermometer in a fish tank.
"That is why there will be government intervention," he said. "The voluntary approach is failing or has failed and here has to be stronger attention, with a sense of urgency that the subject demands."