MoFo Privacy Minute
On September 19, 2016, the National Telecommunications and Information Administration (NTIA) of the U.S. Department of Commerce announced that it will initiate a multistakeholder process regarding the security upgradability and patching relating to the Internet of Things (IoT). The first meeting about this process will occur on October 19, 2016, in Austin, Texas, to coincide with the Consumer Technology Association’s Technology and Standards Forum.
It is noteworthy that the NTIA is turning its attention to what would appear to be a very technical issue relating to the IoT. But, as the Federal Register notice describes, the NTIA believes that, in order for the potential of the IoT to be realized, users of IoT devices “need reasonable assurance that connected devices, embedded systems, and their applications will be secure.” In this regard, the NTIA notes that “[a] key part of that security is the mitigation of potential security vulnerabilities in IoT devices or applications through patching and security upgrades.” As a result, the NTIA’s hope is that this multistakeholder process will help create a “thriving market for patchable IoT.” In the NTIA’s view, such a marketplace requires a common language and standardized definitions across the ecosystem so that consumers will understand the security features of IoT devices and so that those devices can receive security upgrades in the same fashion that regular updates to applications and operating systems are currently facilitated using visible reminders and automated updates. The intention is that this process will ultimately yield such shared definitions and strategies for communications to consumers regarding the security features of their IoT devices.
While this first meeting is intended to be largely introductory and focused on the logistics of future meetings, the NTIA’s objectives also include engaging in a discussion of “key security upgrade dimensions, features, and concerns,” as well as identifying concrete goals going forward.
The NTIA also notes that it began focusing on this IoT issue as a result of two separate efforts. First, in March 2015, the NTIA issued a request for comments on substantive cybersecurity issues where a broad consensus and the development of best practices “could substantially improve security for organizations and consumers.” The NTIA apparently received a number of comments about addressing cybersecurity policies and practices for the IoT through a multistakeholder process. In addition, in April 2016, the NTIA and the Commerce Department’s Internet Policy Task Force and Digital Economy Leadership Team requested comments on the government’s role in fostering the IoT. The NTIA notes that it received comments from more than 130 stakeholders, and that security issues were among the most common topics raised.
The NTIA appears to believe that the IoT is an industry poised for broad and deep penetration into consumers’ daily lives, but that security issues must be addressed so that this new ecosystem can develop in a safe and secure manner. The goal of the NTIA’s multistakeholder process is to help facilitate that development.