Government

Business pushing back on IoT regulation talk

Business groups are pushing back against the idea that last week's massive DDoS attack might reveal a need for regulating the cybersecurity of web-connected consumer products — even as new polling data shows that Americans are wary of online dangers from the meteoric growth of online devices.

By Shaun Waterman

October 29, 2016

(Getty)

Business groups are pushing back against the idea that last week’s massive DDoS attack might reveal a need for regulating the cybersecurity of web-connected consumer products — even as new polling data shows that Americans are wary of online dangers from the meteoric growth of online devices.

“We cannot regulate our way to cybersecurity,” said Matt Eggers, executive director for cybersecurity policy at the U.S. Chamber of Commerce, during an online discussion about the huge attack that brought major websites like PayPal and Twitter to their knees for several hours Oct. 21. In the following days, it emerged that the attack was conducted by hijacking the internet connections of millions of IoT consumer devices like DVRs and webcams.

“There’s a tendency for policymakers to try to run before they can walk in this [technology] space,” added Eggers.

The explosive growth of these devices is driving “an estimated trillions of dollars in new economic value,” according to Gary Shapiro, president and CEO of the Consumer Technology Association. In a statement released to the media this week, Shapiro added that “As with any immense opportunity, there are risks involved — in this case, bad actors who in the name of chaos or blackmail disrupt the communication and connectivity we all depend on.” He warned against “let[ting] these cybercriminals hinder innovation and the countless ways in which technology is changing our lives for the better.”

But polling data the Chamber of Commerce released Friday shows that Americans are anxious about the cybersecurity of connected devices, and a majority (53 percent) believe that manufacturers, rather than users or owners (23 percent) should be responsible for securing them against hacking.

Asked about the cybersecurity of web-connected IoT devices, only four percent said they were “very secure,” and 21 percent said they were “somewhat secure.” A total of 46 percent said they were either “not too secure” (30 percent) or “not at all secure” (16 percent.) Twenty-eight percent didn’t know or had no opinion.

Americans also have doubts about whether IoT devices keep their data private. Fewer than half had “a lot” (11 percent) or “some” (35 percent) trust in IoT devices to keep their personal data “secure and private.” Those figures were roughly comparable to the proportion that trusted federal agencies (15 percent “a lot”/31 percent “some”), but much lower than the numbers that had confidence in banks (25/41 percent) and even Google (20/42).

But after being told how the attack earlier this month was conducted using hijacked IoT devices (only 25 percent correctly selected IoT devices as the source of the attack from a list of four possible causes, with another 36 percent choosing wrongly and 39 percent admitting they didn’t know) Americans became more distrustful of them.

Asked again about their confidence in the security of IoT devices, a whopping 61 percent now said they were either “somewhat” (32 percent) or “very” (29 percent) insecure. Four percent continued to maintain that they were very secure, with 15 percent saying they were “somewhat secure.” Twenty percent had no opinion or didn’t know. Women were more suspicious than men and older people more than younger.

“We don’t want people pointing fingers at the victimized industries,” said Eggers, adding that businesses should be on their guard against policy makers’ tendencies to “over-regulate.”

“Policy makers and industry can come together as we did with the NIST Framework,” he said, “We respected each other’s objectives … and that worked well.”

Shapiro said device manufacturers “can consider adopting a set of best practices for security, including developing a certification program,” and Eggers also urged the adoption of best practices.

But the problem is enormously complicated because of the number of stakeholders. Device manufacturers, internet service providers and network managers all have to work selflessly together to build a secure IoT eco-system, according to Chris Boyer, AT&T’s assistant vice president for global public policy.

“Manufacturers have to step up,” he told the government’s Information Security and Privacy Advisory Board this week, adding that even if best practices were implemented immediately, there were 10 billion IoT devices already connected.

“This is a long tail issue,” he said.