As more everyday items like toasters, TVs and thermostats become connected to the internet, the rules for keeping those devices secure must be able to evolve as quickly as the technology itself, experts said Tuesday.
Congress and government regulators have spent years debating the best strategies for securing the billions of network-connected devices that permeate virtually every corner of the physical world. Last month, the National Institute of Standards and Technology published guidelines managing security on the internet of things, and lawmakers have introduced multiple bills over the past year meant to secure connected devices purchased by federal agencies.
While today most people agree the tech should follow a set of minimum security standards, experts fear regulations that are “overly prescriptive” could hinder security rather than help.
“It’s hard to tell manufacturers a discrete set of things you should do till the end of time for all devices, because [that guidance] is based on today,” Michael Fagan, a cyber specialist at NIST, said on a panel hosted by the Telecommunications Industry Association. “We don’t know where devices will go in the future.”
During the event, Fagan and other industry cyber experts warned legislation that mandates specific protections might not even be applicable to tomorrow’s tech because it’s based on the use cases and threats facing the tools today. The internet of things is changing so rapidly, and its evolution is so unpredictable, that even basic rules like requiring devices to come with changeable passwords could quickly become “stale,” they said.
Because updating laws can take a long time, panelists added, the government could find itself constantly playing catch up if it relies exclusively on legislation to keep connected devices safe. And while groups like NIST will continue updating security guidance as the tech develops, they said, those individual frameworks won’t have a long shelf life.
“Any [framework] we build about what’s going on today … could very well become obsolete,” Fagan said. “Anything [framework] we try to build about what’s going to be around tomorrow … is going to be speculative.”
There’s obviously a need to create security standards for the internet of things, he and other panelists said, but those rules need to be as adaptable and dynamic as the technology itself.
Instead of codifying specific standards, Congress should consider enacting laws that tie industry security standards to “a living document,” like a NIST framework, according to Chris Boyer, the assistant vice president for global public policy at AT&T. Under that system, the government could hold industry to the latest standards without updating the law for every incremental development.
As the government works to promote security, panelists added, it’s important for policymakers to recognize that there won’t be a single standard for the entire internet of things. Smart appliances will need less strict security rules than internet-connected medical devices, for instance, and it will be critical for groups like NIST to fine-tune policies for different use cases, according to panelists.
“If we set the bar too low, we’re going to have an amount of security that’s unacceptable … and if we set the bar too high we may make barriers to entry” for future innovation, said Eric Wenger, who leads Cisco’s cybersecurity public policy division.