While the Internet of Things (IoT) promises enormous potential for increasing government efficiency and the user experience, it also creates serious cybersecurity risks. All levels of government and the private sector continue to grapple with how to capitalize on its potential, while making sure the IoT ecosystem is secure and resilient against attacks.
In a set of IoT policy principles released Feb. 5, the Information Technology Industry Council (ITI) laid out broad guidance that emphasizes consistency in policy-making for government, the private sector, and other IoT stakeholders to make sure the “entire IoT ecosystem is secure and resilient in the face of malicious actors while also providing the benefits and conveniences that consumers demand.”
“[T]he destructive potential of cyberattacks can increase exponentially when such attacks leverage massive quantities of connected IoT devices. As risks to the global digital ecosystem, including IoT, continue to grow, so does our need to restore trust and confidence in connected devices and the IoT and larger ecosystems to advance not only security but economic growth and innovation,” ITI said.
The tech trade group urged government and industry to focus on:
Secure the Entire IoT Ecosystem, not Just the Device
ITI said stakeholders must take a “thoughtful, holistic approach to securing the various parts of networks and complex ecosystems that make up the IoT.” Specifically, they must focus on end-to-end security, including security-by-design techniques, and secure development lifecycles.
Develop Industry-Driven Baseline Capabilities and Security Standards
In addition to ecosystem-wide security, the report emphasizes the need for baseline security capabilities for IoT devices. “Developing a common set of best practices and security capabilities that are broadly applicable across all IoT devices with varying levels of complexity and are driven by market demand will help to improve all new IoT devices’ cybersecurity,” ITI said.
Avoid Regulatory Fragmentation
Governments should ensure that regulation of IoT is consistent, and governments should “examine the technologies underlying the IoT and assess where current authority, oversight, and regulation already exist and avoid siloed, sector-specific regulatory approaches.” Additionally, policymakers and regulators should focus on “private-public cooperation on IoT issues to help identify cybersecurity solutions and better coordinate the many IoT security-related policy efforts currently in progress across the U.S. government and globally,” the report says.
Promote Global Harmonization
Building off the idea of avoiding regulatory fragmentation, the report explains that “mandatory IoT requirements published by individual states or municipalities, sector-specific agencies, or countries will unhelpfully fragment the global IoT security landscape.” That kind of fragmentation may, according to ITI, limit the growth of secure IoT by “reducing the efficiencies of scale in development, manufacturing, support, training, assessment, and identification of secure IoT products. It will also make it more difficult for industry to comply with such divergent requirements, hampering global business and trade.”