On August 2, the National Telecommunications and Information Administration (“NTIA”), an agency of the Department of Commerce, announced that it would form a multi-stakeholder group to increase transparency for the deployment of security patches or upgrades for Internet of Things (“IoT”) devices. In particular, the NTIA has suggested “a set of common, shared terms or definitions that could be used to standardize descriptions of security upgradability or a set of tools to better communicate security upgradability.” The NTIA’s approach builds on the Federal Trade Commission’s (“FTC’s”) similar consultative measures regarding IoT security, and if implemented could help speed consumers’ and industry’s adoption of IoT technology.
The NTIA’s initiative follows its April 2016 request for comment on “The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things.” That consultation yielded several comments raising technical and market-based concerns regarding cybersecurity in the IoT, and in particular the challenges of updating IoT devices in the field to protect against post-deployment security exploits. For example, the Coalition for Cybersecurity Policy & Law (the “Coalition”) agreed with the FTC’s 2015 identification of three issues that hamper more effective security patching: (a) devices’ disposability rather than upgradeability, (b) consumers’ ignorance of new patches, and (c) firms’ lack of economic incentive to provide ongoing support. The Coalition suggested that the Department of Commerce address these issues by working with industry to develop specific guidelines for patch management. In particular, it urged that these guidelines “encourage participants in the IoT market to collaborate with third parties, to plan by design for evidence capture, and to segment and isolate unpatched systems until the entity is confident that the system is ‘clear.’”
It remains to be seen how the NTIA’s proposed working group will coexist with the FTC’s ongoing work on IoT security. To date, both agencies have shown a preference for self-regulation rather than new rulemaking. However, as with the “best practices” the FTC outlined in its 2015 report, the NTIA group’s work product could guide future regulation, and could establish a common-law standard of care for maintaining IoT devices’ security.
For information on participating in the new group, tentatively scheduled to convene in the fall, please click here.