Department Of Commerce Agency Seeks Standards For IoT Security

King & Spalding

On August 2, the National Telecommunications and Information Administration (“NTIA”), an agency of the Department of Commerce, announced that it would form a multi-stakeholder group to increase transparency for the deployment of security patches or upgrades for Internet of Things (“IoT”) devices.  In particular, the NTIA has suggested “a set of common, shared terms or definitions that could be used to standardize descriptions of security upgradability or a set of tools to better communicate security upgradability.”  The NTIA’s approach builds on the Federal Trade Commission’s (“FTC’s”) similar consultative measures regarding IoT security, and if implemented could help speed consumers’ and industry’s adoption of IoT technology.

The NTIA’s initiative follows its April 2016 request for comment on “The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things.”  That consultation yielded several comments raising technical and market-based concerns regarding cybersecurity in the IoT, and in particular the challenges of updating IoT devices in the field to protect against post-deployment security exploits.  For example, the Coalition for Cybersecurity Policy & Law (the “Coalition”) agreed with the FTC’s 2015 identification of three issues that hamper more effective security patching: (a) devices’ disposability rather than upgradeability, (b) consumers’ ignorance of new patches, and (c) firms’ lack of economic incentive to provide ongoing support.  The Coalition suggested that the Department of Commerce address these issues by working with industry to develop specific guidelines for patch management.  In particular, it urged that these guidelines “encourage participants in the IoT market to collaborate with third parties, to plan by design for evidence capture, and to segment and isolate unpatched systems until the entity is confident that the system is ‘clear.’”

It remains to be seen how the NTIA’s proposed working group will coexist with the FTC’s ongoing work on IoT security.  To date, both agencies have shown a preference for self-regulation rather than new rulemaking.  However, as with the “best practices” the FTC outlined in its 2015 report, the NTIA group’s work product could guide future regulation, and could establish a common-law standard of care for maintaining IoT devices’ security.

For information on participating in the new group, tentatively scheduled to convene in the fall, please click here.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.