Alexa Lee photo
Ensuring Security Through Policy in IoT

“What’s the weather like today in New York City?”

Answering this question, along with other day-to-day workflows or tasks performed by smart devices, is made easier by the Internet of Things (IoT)—the term used to describe the connectivity to the Internet present in everyday devices like smart speakers, thermostats, and even vacuums.

As the number of IoT devices in the marketplace grows and consumers enjoy the benefits and conveniences that these technologies bring, it is important to ensure these devices are secure and resilient to potential malicious attacks.

This week’s National Institute of Standards and Technology (NIST) workshop on the IoT Cybersecurity Baseline is an important step, and ITI is excited to be a participant. The workshop brings together IoT device manufacturers, consumer advocates, cybersecurity researchers, government officials, and industry leaders to gather feedback and outline next steps.

Security is about more than just the device

Securing an IoT device is a multifaceted challenge that demands a layered approach: security must be addressed not only in IoT devices but also in the network infrastructure, cloud architectures, edge providers, and any other element of the Internet of Things that interacts with those devices. So far, policymakers around the world have proposed requirements, certifications, and labeling programs for connected devices—showing a disproportionate focus on IoT product security or on other individual parts of the ecosystem.

Though these efforts are well-intentioned, they do not go far enough to fully address security concerns. Stakeholders should take a thoughtful and holistic approach in managing the various parts of networks and complex ecosystems that comprise global IoT security. If the components of the ecosystem are only addressed in isolation, these security efforts will ultimately fail.

The importance of an industry-led approach

Although focusing exclusively on devices does not solve all the security problems facing IoT technology, there is a need to develop consensus around baseline security capabilities for those devices that are manufactured, sold, and used inside the United States. Other countries, like the United Kingdom and Australia, have already begun to identify key baseline capabilities.

ITI recommends identifying a common set of best practices and secure capabilities that are broadly applicable and driven by global market demand. Further, developing a consensus baseline that is grounded in existing international standards and broadly supported across the industry will facilitate more effective government-industry collaboration on IoT security, helping to enable interoperable IoT security policies worldwide.

Avoiding regulatory fragmentation

Lastly, distinct IoT security certification or other requirements that vary significantly across individual U.S. states or foreign jurisdictions may unhelpfully fragment the global IoT security landscape. Such fragmentation would limit the growth of a secure IoT by reducing the efficiencies of scale in development, assessment, and consumer awareness of secure IoT products.

To combat the currently divergent policy environment, global harmonization and regulatory cooperation is key. Policymakers and regulators should reinforce public-private partnership on IoT issues to help identify cybersecurity solutions and better coordinate the many IoT security policy efforts currently underway across the United States and amongst foreign partners and stakeholders. NIST’s ongoing commitment to industry outreach in developing an IoT security framework is an excellent example of this, as are similar efforts by the European Union Agency for Cybersecurity (ENISA) and the governments of the U.K. and Japan.

Security policy efforts that are geared towards these three key outcomes — a focus on the broader IoT ecosystem, industry-driven baselines and standards, and avoiding regulatory fragmentation — will provide durable solutions that allow for more effective, worldwide IoT security standards and thus better overall IoT security.

Public Policy Tags: Internet of Things