DDoS Attack Focuses Attention of Congress and Feds on IoT Security
The news has been full of coverage about Friday’s Distribution Denial of Service Attacks (DDoS) attacks using botnets made of Internet of Things (IoT) devices. This most recent and troubling report intensifies government interest in IoT security. Several efforts are underway, providing IoT innovators the opportunity to shape the discussion and outcomes.
Senator Mark Warner of Virginia yesterday wrote a letter to Federal Communications Commission (FCC) Chairman Tom Wheeler, as well as the Federal Trade Commission (FTC) and Department of Homeland Security, highlighting security concerns arising out of the DDoS attacks. He asserted “that by the end of 2020, the number of IoT devices will grow from 13.4 to 38.5 billion – yet there is no requirement that devices incorporate even minimal security levels.” He asked a series of questions about steps agencies take to make consumers aware of security issues and manage IoT devices. This attention may cause agencies looking at IoT security to intensify efforts, which may lead to fragmentation.
The National Telecommunications and Information Administration (NTIA) is positioned to look at cross-sector IOT issues. NTIA took comment on the government’s role in fostering IoT. Commenters weighed in, generally urging “regulatory humility” lest government prematurely restrict the market before demand is understood. As NTIA drafts its “green paper” on IoT (to be released this fall), it can identify obstacles to security by design, information sharing, and the chilling effect of regulatory overhang.
NTIA is not stopping with its “green paper.” Because security was a frequent topic of comment, the agency recently kicked off a multistakeholder process on IoT security, specifically patching and upgradability. NTIA’s effort is based on concern about consumer expectations regarding the lifecycle of IoT devices. NTIA opined that “many manufacturers struggle to effectively communicate to consumers the security features of their devices” and that this is “detrimental to the digital ecosystem” because it fails to “reward companies that invest in patching and it prevents consumers from making informed purchasing choices.”
NTIA is considering how to foster markets and competitive differentiation for security by design and lifecycle management. At the first meeting, held in Austin, Texas on October 19, some participants argued that there is a “market failure” in IoT security. People expressed worry about “orphan devices” that remain on networks, and feared lax “security by design” in cheaper devices. Many advocated for consumer disclosures and public commitments from manufacturers about how they will support devices—and for how long. Some were skeptical that existing warranty paradigms will protect consumers.
Some participants noted that it may be premature to determine what this nascent market needs or desires. As NTIA looks at security processes, supply chain and consumer disclosures, innovators should consider what sort of market they want to work in. The risk of government overcorrection is real, and agencies may presume an unrealistic level of control by wireless operators and agencies over a global device, service and network ecosystem. For example, Senator Warner’s letter asks agencies to address consumer notifications and market controls:
- What strategies would you pursue to take devices deemed harmful to the network out of the stream of commerce?
- What strategy would you pursue to deactivate or recall the embedded base of consumer devices?
- What consumer advisories have you issued to alert consumers to the risks of particular devices?
The questions indicate a sweeping view of agency power. This sort of interest by Congress threatens to dial up agency pressure on the private sector. The FTC and FCC were already looking at aspects of IoT.
The FTC has been looking at IoT from a consumer protection standpoint, issuing a 2015 IoT report that raised many concerns and offered “recommendations.” The FTC Staff identified many benefits of IoT innovation, but also told NTIA in comments that it had security concerns about IoT because “many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. As a result, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices.” The FTC had initiated a joint inquiry into mobile device patching with the FCC, which remains ongoing.
The FCC is not being shy in moving toward regulation. It recently adopted a surprise rule mandating security statements be filed by licensees in particular spectrum. The new requirement, to be codified at 47 C.F.R 30.8, flows from FCC interest in IoT and concern that industry is not doing enough. This perception is not well founded, as the FCC did not have evidence of lax security by licensees and others in the ecosystem. To the contrary, industry has been working through standards bodies to create secure architectures, best practices, and use cases for IoT.
IoT security will be an evolving challenge that demands private sector vigilance. It promises to keep policymakers on their toes. In a regulatory climate that reacts to news cycles, education and collaboration will help avoid over-correction that could stymie innovation. Innovators should watch what the agencies say to Senator Warner, and how NTIA’s process unfolds. The FTC and FCC can also be counted on to keep things interesting.