CDT provides comments to the NTIA green paper “Fostering the Advancement of the Internet of Things”

This week, the Center for Democracy and Technology (CDT) provided public comments on a National Telecommunications and Information Administration (NTIA) green paper titled “Fostering the Advancement of the Internet of Things (IoT).” CDT applauds the NTIA and its Internet Policy Task Force for the green paper. It provides a comprehensive examination of the key issues that decision-makers in the public and private sectors must grapple with in order to realize the benefits of the IoT, while mitigating security, privacy, and other risks.

CDT’s comments supported a proposed risk-based approach to IoT security, suggested development of metrics to assess the costs/losses due to IoT security issues, and urged a greater focus on the unique privacy concerns raised by IoT devices. CDT also cosigned a submission by Rapid7 supporting the development and implementation of coordinated vulnerability disclosure and handling processes. All public comments can be found at the NTIA website.

Risk-based approach to IoT security

CDT agrees with the NTIA’s approach to the security of IoT technologies. A risk-based approach is in accordance with international best practice in digital security, the NIST Cybersecurity Framework, and the approach of the Federal Trade Commission in this area. Essential to a risk-based approach is the derivation of probabilities of digital security incidents, which are caused by threats and vulnerabilities, as well as estimates of the range of possible economic and/or social impacts of these incidents. A risk-based approach improves security outcomes by allocating resources to security measures that mitigate the causes of the most potentially costly incidents. This is a win-win for companies and for consumers.

Quantification of IoT security costs/losses

Quantifying the IoT should be a high priority in the public and private sectors, particularly in the developing IoT market, because it provides the foundation for a solid risk-based approach that improves security outcomes. In its green paper, the NTIA proposes ‘next steps’ in relation to the development of metrics to quantify the economic benefits of IoT technologies (e.g., metrics related to changes to output, value added, and employment).

However, these variables do not provide an understanding of the potential direct costs or indirect economic losses due to security issues with IoT technologies. Without an understanding of the probabilities of incidents and related costs/losses, decision-makers in the public or private sector will not be able to accurate determine which security measures, or public policies, spur development and/or adoption of security measures, for IoT technologies will yield the greatest net economic and social benefit (that is, cost-minimization and benefit maximization).

CDT recommends that the NTIA and U.S. Department of Commerce, in conjunction with private sector stakeholders, expand its examination of metrics to include those relating to the security of IoT devices. Such metrics might include, but are not limited to, the probability of incidents occurring due to certain classes of digital threat (e.g., malware, denial of service, etc.); the likelihood of incidents occurring as a result of known vulnerabilities in IoT software and hardware; the potential economic impact (costs and losses) of digital security incidents to individuals, households, businesses, and the national economy; and the net economic impact of more secure IoT devices vis-à-vis the status quo.

New privacy concerns raised by IoT

IoT technologies raise novel privacy issues. The scale, scope, and stakes of the IoT offer tremendous benefits and require a general policy response from government. They also necessitate a firm commitment to recognize the distinct privacy considerations involved. The growing deployment of sensors and devices in homes, cars, and even in humans present new vectors for the ubiquitous collection and sharing of highly sensitive personal information over time, including health status and activity levels, personal habits, location, the presence of other individuals, and other types of metadata.

The real and perceived privacy risks that emerge as a result threaten public trust in and adoption of IoT technologies. Failure to address these concerns may substantially reduce the potential benefits that might come from widespread adoption of IoT technologies.

The green paper recognizes the role for congressional action in addressing privacy in the IoT. However, absent baseline privacy legislation, no federal agency has the authority to mandate basic privacy protections. Though it is likely that the Federal Trade Commission will continue to lead on privacy policy and enforcement, CDT recommends that the NTIA and Department of Commerce continue their ongoing efforts to engage stakeholders and to pursue consensus-based global standards, starting from the premise that the privacy challenges raised by the IoT are novel.

Coordinated vulnerability disclosure and handling processes

Along with 15 organizations and 6 individuals, CDT co-signed a public submission from Rapid 7, which recommended that the NTIA “actively encourage IoT providers and operators to develop and implement coordinated vulnerability disclosure and handling processes.” Vulnerability disclosure and handling processes are formal internal mechanisms for receiving, assessing, and mitigating security vulnerabilities submitted in good faith by external sources, such as independent researchers, and communicating the outcome to the external vulnerability reporter and affected parties.

Signatories recommend that the Department of Commerce strengthen the IoT Green Paper by: more clearly articulating the benefit of adopting coordinated vulnerability disclosure and handling processes for IoT device and software providers, and committing to continue working with the IoT industry, government bodies, and other stakeholders to promote voluntary adoption of coordinated vulnerability disclosure and handling processes.

In sum, the NTIA green paper is an excellent start on crafting a policy framework for IoT; however, it is incumbent on the agency to consider not just benefits but also mitigate risks as it considers the adoption of this promising new technology.