Regulating the Internet of Things

IoT manufacturers must help shape the legal and regulatory landscape by engaging with government policymakers worldwide.
Published: November 18, 2018

In the wake of the powerful Mirai, Reaper and Okiru distributed denial-of-service (DDoS) botnet attacks, executed through the infection and hijacking of hundreds of thousands of vulnerable Internet of Things (IoT) devices, governments around the world are stepping up their efforts to address the increased security and safety risks inherent in the rise of IoT adoption, and to better define their role in fostering and regulating the technology.

With more than eight billion IoT devices in use in 2017 and approximately one million new IoT connections made every hour, policymakers are taking a closer look at the many security and user-awareness implications associated with the Internet of Things. Not surprisingly, a number of proposals for studying and regulating IoT devices are being considered.

In the United States, Congress has introduced several IoT bills in both the House of Representatives and the Senate. These measures approach the IoT from different perspectives, including creating new resources for consumers to better understand the security and reliability of their IoT devices, regulating specific security standards and imposing contractual requirements on companies that provide IoT devices to the government.

One such bill, the Developing Innovation and Growing the Internet of Things (DIGIT) Act, directs the U.S. Secretary of Commerce to convene a “working group of Federal stakeholders” to create recommendations and a report to Congress on the IoT. Another bill, the SMART IoT Act, would require the U.S. Department of Commerce to conduct a study on the state of the industry. The Department of Commerce’s National Institute of Standards and Technology (NIST) has already launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk.

Congress is also considering the Cyber Shield Act, which would create a voluntary labeling and grading system for IoT devices. Under this program, products may be given grades that “display the extent to which a product meets the industry-leading cybersecurity and data security benchmarks.” Products that meet the advisory board’s standards would carry a cyber-shield logo. The system has been compared to the Energy Star program developed by the EPA more than 20 years ago.

Separately, the Senate has introduced the IoT Consumer Tips to Improve Personal Security Act that would require the Federal Trade Commission (FTC) to develop cybersecurity resources for consumer education and awareness regarding the purchase and use of connected devices. While the FTC produced guidelines for IoT security and privacy protection in 2015, it stopped short of calling for regulation, arguing that this would be premature. More recently, the FTC suggested that the legal framework surrounding the IoT is, for the most part, the same as the one that applies to other types of technology.

Another bill, the Securing the IoT Act, would require the Federal Communication Commission (FCC) to establish cybersecurity standards that radio frequency equipment must meet in order to be certified under the FCC’s technical standards for equipment authorization. The FCC has already weighed in on IoT regulation, and has suggested that if it determines the risk identified with the IoT won’t be naturally addressed by the market, it will consider further action.

Finally, the Internet of Things Cybersecurity Improvement Act sets minimum security standards for connected devices purchased by the government, and mandates the specific contractual provisions agencies must include in any contract for such devices. Although the legislation only applies to government agency suppliers and affiliates, it could well establish a benchmark for device manufactures that will influence commercial production.

Diffuse efforts around the world introduce additional complexity into the marketplace, with the prospect of compliance with multiple standards and regulatory requirements. With so many ongoing and overlapping efforts, there is a danger of premature, ill-advised and conflicting requirements and obligations.

In California, Governor Jerry Brown recently signed a bill regulating the cybersecurity standards of internet-connected devices, making California the first state in the nation with such a law. Starting on Jan. 1, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification or information disclosure.

The European Commission introduced a Cybersecurity Package last year that included a stringent certification scheme for connected devices. For now, those requirements are voluntary, but that could also change. The EC Cyber Package also includes a joint Commission and industry initiative that would seek to define a “duty of care” principle to help reduce the risk of product and software vulnerabilities and promote “security by design.”

As the world’s primary manufacturing base for many of the connected consumer goods, China has become more focused on IoT security as well. In addition to China’s Cyber Security Law, which took effect last year, it has become relatively clear that many businesses operating IoT infrastructure in mainland China will be considered “network operators” subject to additional regulation. Moreover, IoT infrastructure operated by key industry players such as energy and transportation will be likely considered critical information infrastructure under the new law and be subject to even more stringent regulation.

Japan has also released a “General Framework to Secure IoT Systems” designed to clarify the fundamental and essential security requirements for secure IoT systems.

As security concerns about IoT devices increase, so does the debate about the necessity of government regulations. Standardization requirements, certifications and labeling schemes are less practical in an ecosystem of billions of devices. Indeed, labeling or security ratings can breed a false sense of security, contribute to over-warning and generate needless consumer litigation. Furthermore, new regulation and bureaucracy can have the unintended effect of reducing consumer choice and competition.

For the most part, flexible approaches to collaboration regarding shared threats have significant advantages over national regulation or labeling schemes, which can fragment the global economy and limit technological innovation. For these reasons, it is critical that IoT manufacturers help shape the future legal and regulatory landscape by engaging with government policymakers in the United States and around the world.

J.C. Boggs is a partner in the Government Advocacy & Public Policy and Data, Privacy & Security groups at King & Spalding.