IoT Economy – Government and Industry Must Get on the Same Page
2020-02-06 Marcellus Buchheit
Given the unbridled growth of the IoT and its potential impact on consumer safety, critical infrastructure, and business continuity, the need for global regulation is quite evident. To their credit, industry organizations, like the IIC, Trusted Computing Group, and others, have taken the lead with self-regulatory initiatives that outline best practices, security frameworks, and other proposed guidelines to help IoT device manufacturers meet safety standards when introducing their products to the market. Technology vendors, like Wibu-Systems and Infineon Technologies, continue to develop leading edge technologies and collaborate on real-world use cases that demonstrate how IoT developers can incorporate security-by-design strategies into their products. Government regulatory agencies and their bureaucratic processes, on the other hand, are struggling to keep up with the rapid developments emerging in an industry experiencing explosive growth.
For their part, the U.S. government has recently taken action to promote regulatory requirements in some areas regarding the IoT. For example, in the past year, the U.S. Congress has introduced three pieces of legislation aimed at promoting safe IoT growth.
Most recently, the U.S. Senate unanimously passed the Developing and Growing the Internet of Things (DIGIT) Act, which directs the Secretary of Commerce to convene a working group of federal stakeholders to advise Congress on how to plan and encourage IoT, including spectrum needs and the appropriate regulatory environment for things like consumer protection, privacy, and security.
In July of 2019, the U.S. House of Representatives introduced the Internet of Things (IoT) Readiness Act to prepare American infrastructure to accommodate millions of connected devices. The bill directs the Federal Communications Commission to collect and maintain data on the growth in the use of Internet of Things devices and devices that use 5G mobile networks in order to determine the amount of electromagnetic spectrum required to meet the demand created by such use, and for other purposes.
Also in 2019, the U.S Senate Homeland Security and Governmental Affairs Committee favorably reported on the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, a bill that will make sure government IoT devices are as secure as they can be, including by requiring transparency and disclosure from contractors. Specifically, the bill would require the U.S. National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices. The bill, introduced in the U.S. Senate, would require that devices purchased by the US. Government meet certain minimum security requirements.
These legislative measures are well meaning and indicative of the recognition by government that it is time to get involved. In the U.S., of course, legislation requires approval of two houses of Congress and a signature of the President, before they go into law, and therein lies the potential bureaucratic snag, as progress can be delayed at each step. This is particularly noteworthy in a market that is moving so rapidly and response time is critical to enacting regulatory initiatives. Let’s hope the U.S. government, and others around the globe, can hurdle such bureaucratic obstacles and move forward with regulatory initiatives that ensure the safety of the public while maximizing growth in the global economy promised by advances in the IoT.
In the meantime, here’s a sampling of available guidance and best practices already put forth by Industry leaders and associations: Licensing and Security for the Internet of Things (White Paper – Wibu-Systems), The Business Viewpoint of Securing the Industrial Internet (White Paper – Industrial Internet Consortium), Architect’s Guide: IoT Security (White Paper – Trusted Computing Group), Secure Manufacturing of Outsourced Real Time Controllers (Use Case – Wibu-Systems and Infineon Technologies), and Securing the Backbone of Connected Industry (Wibu-Systems, Baluff, and OPC UA - Use Case).
Contributor
Marcellus Buchheit
Co-founder of WIBU-SYSTEMS AG, President and CEO of WIBU-SYSTEMS USA
Marcellus Buchheit earned a master's degree in computer science from the University of Karlsruhe, Germany, in 1989, the same year he co-founded Wibu-Systems. He is known for designing innovative techniques to protect software from reverse-engineering, tampering and debugging. He frequently speaks at industry events and is co-author of the IIC's Industry IoT Security Framework publication. He is currently president and CEO of Wibu-Systems USA, Inc. based in Edmonds, Washington State.