The government is trying to catch up on IoT security policy


Written by

The ballooning security problems presented by the burgeoning Internet of Things phenomenon need to be addressed as quickly as possible, but the ecosystem’s complexity makes it hard to know where to start, a government advisory panel was told Wednesday.

The question has taken on a new urgency following the massive DDoS attack last week, which brought many major websites’ operations to a screeching halt. The attack was carried out by a network of infected IoT devices.

The National Telecommunications and Information Administration — a small agency within the Department of Commerce — has drafted an IoT policy green paper following a request for comment issued last year, NTIA Policy Analyst Travis Hall told a public meeting of the National Institute for Standards and Technology’s Information Security and Privacy Advisory Board.

The general takeaway from the comments was that “The IoT will necessitate new policies, but not a new policy approach,” meaning the administration will continue to focus on partnership with industry, and not regulation but voluntary best practices drawn up by multi-stakeholder working groups.

One such multi-stakeholder group — focussed on IoT — met last week in Austin, Texas, Hall said.

“This is one of those messy, interesting processes where we throw out a topic — or rather a series of scoped questions — to the stakeholders and then step back,” he said.

The meeting set up five working groups. According to his briefing, and another NTIA official, they are tasked as follows:

  •  A “gap analysis” — looking at where the holes are in existing best practices and voluntary standards for ensuring that IoT devices can be updated and patched when vulnerabilities are inevitably found in their software;
  • A “communications plan” — to figure out how IoT manufacturers and providers can provide transparency for the consumer about security standards on their devices;
  • Looking at “maximum capability and minimum expectations … For each defined class of device, what is the least we might expect and the most we might expect” for patchability?
  • “Talking about incentives and barriers” — “How do we foster greater adoption of good patching and updating practices?”
  • “Looking at the possibility of a ‘platform for patching'” — some kind of internet portal or other framework which would both help consumers figure out how to adjust security settings and reduce the costs of entry for startups and small businesses by providing off-the-shelf security measures for new devices.

The platform could even be constructed to take over the security of IoT devices which become “orphaned” either because they are abandoned by their manufacturer or because the manufacturer goes out of business, Hall said.

“This is something the stakeholders themselves wanted to look at,” said Hall, calling it “a very exciting possibility.”

Hall said there was no current timetable for the working groups, but that “particularly in light of the DDoS attacks last week” everybody involved was feeling pressure to move quickly.

As far as the green paper was concerned, a draft had been written but it would need to get reviewed by internal stakeholders before being revised and eventually issued.

“Previous green papers had a clear path to white paper” status as statement of planned administration policy, because it was earlier [on] in the administration.

“Right now that path is a little less clear,” he said.

“We’re in the long game, which doesn’t solve the immediate problem,” he said. “The long game, [in this case] is how do you create a market for security” of IoT devices, when there are no standards or benchmarks against which consumers can judge products and manufacturers can measure or boast about their security?

The multi-stakeholder process aimed at “Creating transparency so that a market for security can develop.”

He said that “even when they feel like they’re taking forever,” multi-stakeholder processes actually compared favorably to rulemaking or other policy processes, and because the results were industry-driven, they tended to be adopted quickly, he said.

“One size definitely doesn’t fit all,” in the very complicated ecosystem of the IoT, in which device and component manufacturers, service providers and network managers all have to work selflessly together to ensure that devices can be installed securely and kept up to date, patched against the latest vulnerability.

-In this Story-

Internet of Things (IoT), ISPAB, National Institute of Standards and Technology (NIST), NTIA