By Taylor Armerding
Jan. 9, 2017
FCC Chairman Tom Wheeler, in a Dec. 5 response, noted that global realities mean that actions of a single ISP won't change much. “Protective actions taken by one ISP against cyber threats can be undermined by the failure of other ISPs to take similar actions,” he wrote. “This weakens the incentive of all ISPs to take such protections.”
Experts are also extremely wary of government involvement in regulating any element of internet security because of its demonstrated desire for “back doors” into devices and networks.
Schneier, even while calling for federal regulation to improve IoT security, said that, “government needs to resist the urge to deliberately weaken the security of any computing devices at the request of the FBI.”
Baugher, while declaring that “government is needed for cybersecurity,” also declared just as emphatically that “the US government can’t deliver it,” in part because it has demonstrated repeatedly that it can’t secure its own infrastructure. He cited multiple examples – former secretary of state and recent Democratic presidential candidate Hillary Clinton is the most famous example – of Cabinet-level officials using private, and insecure, email servers.
But more significantly, he said, is that US government policy, “is and has been to weaken device security to better enable information collection. The government is in no position to advocate mechanisms for increasing the cybersecurity of IoT or other applications when it simultaneously tries to undermine the security of devices and their users.”
For now, specific regulations with legal force and penalties appear to be some time away. Not that there is no activity. The FTC recently announced the "IoT Home Inspector Challenge," a contest that, “challenges the public to create a technical solution (‘tool’) that consumers can use to guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.” The winner will receive a $25,000 prize, with $3,000 prizes for runners-up.
There are also a number of government documents that address internet security – DHS just recently published "Strategic Principles for Securing the Internet of Things," but noted that they are, “non-binding principles and suggested best practices,” which means there is no force of law and no consequence for failing to follow them.
Sjouwerman called the document, “a good start, but no teeth.”
Baugher, noting that there are other government “best practices” recommendations, said the DHS paper suggests to him that, “there seems to be a competition between some federal agencies. The proposals at this point seem more political than technical.”
And Spiezle said while, “the threat of government regulation as well as enforcement is important, we need action today.”
That, he said, can come from the private sector. He said OTA has issued a public call to major retailers including Costco, Amazon, Best Buy and Target, “to stop selling products that fail to adhere to core foundation security and privacy principles.