Report: Regulators Are One Step Behind IOT Security Issues


The Internet of Things,  a term that encapsulates everything from networked medical devices and kitchen appliances, to automated homes and cities, has grown rapidly but not without its share of security concerns. Some of these potential issues are still under the radar of most regulators,  a new policy study by R Street TechPolicy Fellow Anne Hobson discovered.

“Because of the nature of network effects, internet-of-things devices present a unique problem to the internet as a whole,” writes Hobson. “When devices are connected, one device’s vulnerability becomes a problem for the entire network. This is not a new threat, as networked devices have been around since the 1960s. However, the scale of interconnection among today’s devices magnifies the consequences of insecurity.”

This development opens the door for a more robust market for cyber insurance; and more offerings of products that can provide consumers with information about the cybersecurity of products they purchase.
“Lack of cybersecurity is often viewed as a demonstration of market failure. It should instead be viewed as a market opportunity for private actors to lower the cost of information exchange or to help companies mitigate cybersecurity risks,” Hobson writes. “Policymakers can play a role in supporting market-based solutions like cybersecurity-assurance programs, information-sharing programs and adoption of cyber insurance.”

The report suggests that federal agencies should perhaps encourage the fast-developing cyber-insurance market to insist that internet-of-things contractors be held financially responsible for any liabilities created for taxpayers as a result of cyber-attacks on their products or services.

Insofar as regulators are involved, the goal should be outcome-driven, rather than trying to create one-size-fits-all standards that will be rapidly outpaced by technological development, the report concludes.

Hobson concludes:

“Policymakers should avoid any regulatory approaches that would require design standards rather than performance standards. Design standards include rules that would require products to use certain protocols or communication standards deemed secure, whereas performance standards would set a desired safety outcome without specifying the means to achieving it. This would motivate companies to focus on compliance, rather than security. Legislating specific technical solutions would codify easily outdated features, limit U.S. competitiveness abroad and stunt experimentation.”

R Street is a nonprofit, nonpartisan public policy research organization whose mission is to promote free markets and limited, effective government. It has headquarters in Washington, D.C. and five regional offices across the country.