NTIA Summarizes Stakeholder Comments on IoT Security & Automated Threats
On September 18, the National Telecommunications and Information Administration (NTIA) released a report on Internet of Things (IoT) security, botnets, DDoS attacks, and other cyber threats. The Report of Responses to NTIA’s Request for Comments on Promoting Stakeholder Action Against Botnets and Other Automated Threats, documents the overall themes of responses from 47 commenters. The full report can be found here.
Comments, filed in response to NTIA’s June 2017 Request for Comments, were provided by a variety of large trade associations, major internet and technology companies, security researchers, policy groups, and academia. Commenters recognized that addressing the risks posed by distributed and automated attacks “are global, by their nature, and require international cooperation to work toward solutions. International standards and best practices will be necessary to achieve an effective global approach, rather than country-specific standards and regulations that could impose unnecessary costs and slow innovation.”
While stakeholders “resoundingly endorse voluntary, consensus-based industry- and community-led processes…a notable number of commenters viewed the lack of existing security and market incentives as requiring more active policy interventions.”
Commenters highlighted that addressing these risks is a shared responsibility across the digital ecosystem, with some industry actors providing examples of innovation to secure devices across the Internet of Things (IoT). Some stakeholder feedback underscores—that unlike voluntary best practices—specific regulatory regimes cannot provide the necessary flexibility to a market with extremely diverse security needs. Others argued, however, that not every company has adopted a risk-based mindset and a lack of market incentives to promote good security practices means the government may need to step in to implement best practices through regulation.
The comments were collected as part of the review required by President Trump’s Cybersecurity Executive Order. This review calls for “an open and transparent process to identify and promote action by appropriate stakeholders” with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks (e.g. botnets).” As a continuation of this process, NTIA has stated it welcomes additional stakeholder feedback and plans to release a draft report for public comment in January 2018, with a final report due to the President in May 2018.