[co-author: Noah Cherry]
Hogan Lovells’ Winnik International Telecoms & Internet Forum explored how the Internet of Things (IoT) may continue to expand the scope of cybersecurity concerns. Cybersecurity risks for the IoT were previously synonymous with enterprise products. Now these risks extend to consumer devices, services and applications.
According to cybersecurity leaders attending the forum, the IoT market needs new, market-driven approaches to cybersecurity given the number of at-risk IoT products and services. Travis LeBlanc, Chief of the Federal Communications Commission’s (FCC) Enforcement Bureau, said while the number of IoT devices has exploded, the existing 500 million IoT devices with outdated security features are “not going anywhere.” According to LeBlanc, “government needs to incentivize the entire [IoT] community because individual networks may not be affected.” LeBlanc reviewed various government initiatives from the FCC, Federal Trade Commission, National Telecommunications and Information Administration, and the National Institute of Standards and Technology. He said innovation is outpacing regulation. According to LeBlanc, government should not over-regulate because doing so would restrain innovation. He added that, while achieving perfectly secure devices and networks is impossible, industry and government can better manage risks through collaboration, consumer education, and multi-national efforts to confront global cybersecurity threats.
Other panelists identified the persistent tension between cybersecurity and usability as a continuing challenge for businesses selling or using IoT products and services. Austin Carson, the Legislative Director to Representative Michael McCaul (R-TX), Chairman of the House Committee on Homeland Security, said that robust security protections can interfere with the convenience that consumers demand from IoT devices. According to Carson, class action lawsuits have become a new source of business risk. When a known vulnerability is exploited, plaintiffs’ attorneys have sought to recover damages for the diminution of value in a product as a result of a cybersecurity breach, including consequential damages to other property due to the cybersecurity breach, Carson said. According to Carson, the financial risk from these types of class actions far exceeds any potential government fine.
Julie Kearney of the Consumer Technology Association said the consumer technology industry has sought to address cybersecurity risks without regulation. According to Kearney, businesses face a challenge in educating consumers to secure their own networks and buy products from reputable brands. The private sector also has to confront the proliferation of standards for networks and redouble efforts to incorporate security by design into every device without sacrificing functionality and ease of use.
Lisa Hayes with the Center for Democracy and Technology agreed. According to Hayes, consumers love connected devices but worry that some connected devices, such as medical products, may no longer function if Internet connectivity is lost. Hayes said that companies should begin encrypting everything and adopt new security standards for IoT devices as they become available.
In sum, panelists asserted the market can address new and evolving IoT cybersecurity risks better than government mandates so long as regulators and courts must allow companies room to manoeuvre. Meanwhile, the rest of us – from device manufacturers to consumers – each have a role to play in protecting connected devices and minimizing the risks as much as possible.
