Feds Seem to Favor ‘Light Touch’ IoT Regulation

0
727

The Internet of Things may be in its infancy, but the U.S. government has been gearing up to determine what the proper federal role should be, both for encouraging and for regulating the use of IoT technology.

Two recent developments have underscored the government’s interest in IoT.

On the regulatory front, the Consumer Product Safety Commission has launched an initiative to determine a framework for regulation related to IoT. The agency finished taking comments from IT providers, other affected businesses and the public last month. The comment period followed a public hearing this spring, during which major interested parties presented their views on potential IoT regulation.

The second action was the recent introduction of the SMART IoT Act in the U.S. House of Representatives. The bill includes two major elements. First, it directs the U.S. Commerce Department to conduct a comprehensive study of virtually all aspects of the “Internet-connected devices industry” — also referenced in the bill as the “Internet of Things.”

The legislation further directs the Commerce Department to describe, in a comprehensive fashion, what various federal agencies have been doing with regard to the development and potential regulation of IoT.

Currently the CPSC, the Federal Trade Commission, the Federal Communications Commission, the National Telecommunications and Information Administration, and the National Institute of Standards, among other federal entities, have embarked on some kind of IoT program.

The bill is designed to provide lawmakers with the appropriate background to shape federal policy regarding the IoT. A key sponsor of the bill, Rep. Bob Latta, R-Ohio, noted that “because IoT is increasingly becoming ubiquitous, it is very difficult to know who is doing what — both in the federal government and in the private sector.”

Actions Reflect Caution

However, the IT community should not be overly concerned that a robust federal regulatory regime is looming — at least not at this point.

Take the actions by the CPSC, for example. In its invitation for public comment, the agency specifically sought information on how Internet-connected products might be hazardous to consumers, and what actions the commission could take to eliminate or mitigate those hazards.

In addition to discussing potential safety hazards resulting from connecting consumer products to the IoT, the hearing was meant to address the CPSC’s role in addressing them.

With its latest actions, the CPSC appears more interested in exploring the impact of IoT than in contemplating any specific set of regulations.

“I think it’s appropriate for CPSC to take a look at the IoT and how cyberthreats can lead to product safety issues and [consider the] agency’s oversight function,” said Ari Schwartz, executive director of the Cybersecurity Coalition, which includes AT&T, Cisco, Microsoft and Symantec.

“Of course, we would favor the use of industry standards in any regulatory regime,” he told the E-Commerce Times.

“Right now, it’s too early to tell what direction the CPSC will take. The agency has to determine how broad its scope will be,” Schwartz said.

“I think CPSC is currently in the exploratory phases as to its role with IoT. The agency is genuinely interested in just learning more about IoT and its impacts,” said Rachel Weintraub, general counsel for the Consumer Federation of America.

In its comments to the CPSC, the Cybersecurity Coalition stressed that safety and security standards for loT devices were inextricably linked and should be addressed in tandem, and that any standards should be set through a voluntary, consensus-based, and industry-led approach.

The wide array of IoT products and applications mitigate against any one-size-fits-all approach to standardization and regulation, the group contended.

A single standard “runs counter to where the industry is going,” Schwartz said at the CPSC hearing.

“While best practices and voluntary standards are helpful, they may not be adequate to protect consumers from the potential safety risks of using connected devices,” CFA’s Weintraub said at the hearing.

“The IoT raises questions about whether current product safety and product liability laws need to be rethought,” she noted, referencing a report from the Organization for Economic Cooperation and Development.

Mandatory vs. Voluntary

“Mandatory standards have an inherent enforceability and stronger compliance element,” Weintraub told the E-Commerce Times.

Still, by statute the CPSC’s regulatory approach generally centers on the use of voluntary standards, she acknowledged, although mandatory actions are permitted under certain circumstances.

That issue aside, CFA strongly recommends two actions designed to get ahead of any formal regulatory scheme, Weintraub said.

First is that producers should strive to incorporate safety into the original design of any connected device, product or application. Second is that all federal agencies with a stake in IoT regulation should cooperate in a working group to determine jurisdictional scope, adequate risk analysis, and a truly outcome-oriented approach, to ensure that nothing falls through the cracks in the federal effort to protect consumers from IoT related risks.

The focus of the SMART IoT Act appears to be striking a balance between regulation and connected technologies development — with a tilt toward encouraging innovation. The act explicitly refrains from setting out a stringent national regulatory program.

At the federal level, the legislation “will help promote interagency discussions and help avoid conflicting or duplicative obligations or requirements that may slow innovation and progress,” said sponsor Latta.

Private Sector Engaged

At the industry level, the SMART IoT Act “will help innovators and businesses know how entities are developing, using and promoting use of IoT solutions,” Latta noted.

The bill also will “highlight industry-based efforts to self-regulate and provide industry with a one-stop-shop for a compilation of industry-based standards — both ones already in effect and those currently being developed,” he said.

While the SMART IoT Act can be helpful in describing federal efforts related to the technology, significant actions already are under way within and between agencies, and between agencies and the private sector, the Cybersecurity Coalition’s Schwartz noted.

The Commerce Department itself has organized an internal Internet policy task force composed of NTIA, NIST, the U.S. Patent and Trademark Office, and the International Trade Administration to keep tabs on Internet commerce, including IoT.

The NTIA, for example, last week conducted a multi-stakeholder public dialogue on software component transparency related to IoT. Representatives from Rapid 7, Microsoft, and the Atlantic Council assisted in coordinating the meeting.

NTIA also has initiated an effort to ensure the integrity of IoT software, including the establishment of adequate patching mechanisms and security functions, and in the process has engaged with the private sector.

Recent federal developments clearly indicate that IoT is firmly on the radar screen of federal agencies charged with electronic commerce policy, but the current posture is consistent with that of the previous administration.

Just days before the Obama administration left office, the Commerce Department released a green paper examining the benefits and challenges of the evolving IoT landscape, and suggesting that the federal government should continue to nurture innovative technology.