NIST Issues Tech Guidance, NTIA Seeks Broad Input
As the federal government grapples with Internet-connected devices and applications that make up the Internet of Things (IoT), the National Institute of Standards and Technology (NIST) is forging ahead to provide "technical leadership" for "the operation, trustworthiness, and lifecycle of IoT" (NIST, Special Publication 800-183, Network of Things, July 2016). Such efforts complement—and contrast—recent policy efforts at the National Telecommunications and Information Administration (NTIA) and elsewhere to promote IoT innovation while addressing security, privacy, and interoperability. This federal activity will influence domestic policy and may be critical to shape international efforts that threaten global innovation.
NIST's Recent SP 800-53 Joins Efforts to Address IoT Design
NIST is a non-regulatory agency responsible for creating security guidelines for federal information technology. Through various components and partnerships, NIST provides technical guidance, increasingly with an eye toward private sector use. NIST has been at the forefront of data security, cybersecurity, and privacy. Its work is influential and included in security standards and procurement requirements. NIST has been looking at several aspects of IoT.
NIST recently released a publication providing a model to define IoT and its fundamentals, in hopes of creating more secure and reliable technology. According to NIST, the five basic building blocks of IoT technology, or "primitives," are: sensors, aggregators, communication channels, external utilities, and decision triggers. NIST seeks to provide researchers and developers a common language for resolving security challenges that arise in Internet-connected devices and networks. NIST discusses factors affecting security and reliability and the trade-offs of open and closed systems. After identifying the general model for IoT systems and determinants of reliability and security, NIST discusses potential challenges. For example, NIST identifies issues related to car speed sensors, and how wearable, transmitting health devices may depend on communication channel security.
This recent publication is just one of NIST's efforts on mobility and IoT. NIST has long looked at cyber-physical systems of all sorts, and has released guidelines addressing mobile device security and applications and information sharing architectures. While NIST's standards and guidelines are consensus-based and voluntary (for the private sector), they can be binding on federal agencies, are often used by state and local governments, and are incorporated in other federal and private standards, including procurement demands.
NTIA Is Forging Ahead on IoT Policy
While NIST addresses technical models and best practices, NTIA is active in IoT, championing multistakeholder processes. NTIA earlier this summer sought and received comments on the potential federal role in promoting IoT innovation, as well as whether and how privacy, security, and interoperability can best be addressed. NTIA also sought comment on what role, if any, the United Nations' International Telecommunication Union (ITU) should play in setting technical standards for IoT.
Last week, NTIA announced that it will convene an IoT multistakeholder process focused on cybersecurity and upgradability of IoT devices and applications. This multistakeholder process will attempt to create a set of definitions, descriptions, and guidelines about security patches and upgrades in order to promote greater transparency about the data that IoT devices and applications may collect. According to Angela Simpson, the Deputy Assistant Secretary for Communications and Information, the multistakeholder process could lead to standardized descriptions of security upgradability or a set of tools to better communicate security upgradability. NTIA plans to host the first meeting in early fall 2016.
Multistakeholder models are well-suited to the evolving nature of threats and responses in technically complex areas such as cybersecurity. Recognizing the benefits of collaboration over regulation, NTIA convened a cybersecurity vulnerabilities multistakeholder process in 2015 to understand vulnerabilities created by information technology systems in the digital economy, such as those associated with IoT, and to establish best practices and coordinate efforts regarding cybersecurity and information sharing. These efforts continue.
U.S. Developments Occur Amidst Global IoT Activity
These activities are taking place while global policymakers address IoT. There has been considerable controversy in recent years over what some perceive as "mission creep" by the ITU into IoT standardization activities. The ITU's standardization work primarily is carried out by technical study groups, and, in 2015, a new Study Group 20 was created to focus specifically on IoT and its applications. Some countries, including China, Russia, Saudi Arabia, and South Korea, now are positioning through SG20 to make the ITU the sole global registry for IoT addressing. Citing IoT privacy and security concerns, these countries seek to mandate the proprietary Digital Object Architecture (DOA) as the sole global IoT addressing system. The ITU currently has rights to that intellectual property.
These ITU activities can have far-reaching economic and social consequences, including for U.S. businesses. Although DOA is useful in many contexts, such as libraries, SG20 proposals seeking to "Recommend" DOA as the sole global IoT addressing system are inconsistent with principles of technology neutrality and threaten to supplant the important role of the technical community, other standards development organizations, and business and civil society in IoT standards development. If adopted, such action could place IoT addressing squarely under the control of intergovernmental organizations and governments.
Not surprisingly, the private sector has been almost unanimous in urging NTIA to ensure that IoT technical and interoperability standardization activities remain in voluntary, open-participation, globally recognized, and consensus-based bodies, and that outcomes at this early stage of IoT development are technically neutral. As IoT continues to mature, innovators should continue to urge federal experts and policymakers to reflect and promote the values of technical neutrality and regulatory humility at NIST, NTIA, and beyond.
Companies assessing IoT opportunities should heed these and other legal and policy developments as they develop products, services, and business partnerships.
This article was originally published on CircleID on August 10, 2016.