Congressional Report Spotlights IoT Risks

Reps. Bob Latta, R-Ohio, and Peter Welch, D-Vt.
A new report from a bipartisan Congressional working group examining the benefits and challenges of the internet of things spotlights cybersecurity and privacy as top concerns across a variety of industries implementing the emerging technologies.
See Also: 2016 Social Engineering Report
But the report stops short of making specific recommendations for Congressional action. And several security experts say legislative or regulatory activity in the cybersecurity arena is highly unlikely in the months to come.
“In this political climate, it is my suspicion that any [government] recommendations will be looked at as a burden on commerce and business, and an intrusion by government,” says privacy attorney Steven Teppler of the Abbott Law Group. Congress won’t take action, he predicts, “until some legislators have problems with interconnected devices and the issues hit home.”
The white paper from the IoT working group of the House Energy and Commerce Committee describes findings gathered during five roundtables. The report also outlines initiatives underway outside of Congress – such as the National Institute of Standards and Technologies’ guidance for securing interconnected devices – to address IoT security issues
Tackling the Challenges
The IoT working group met with technology experts, key stakeholders and leaders in a number of industries to discuss the benefits and challenges of implementing IoT and the role of the federal government in advancing the new technology, notes a joint statement by the working group’s co-chairs, Reps. Bob Latta, R-Ohio, and Peter Welch, D-Vt.
“Privacy and cybersecurity were central topics introduced … that were regularly discussed throughout the five working group meetings,” the report notes. “There was also discussion and debate about the benefit of government mandates, and some participants recommended any government action take a holistic approach but not a one-size-fits-all mandate.”
公司在电子商务、交易系统等应用系统建设应具备相应管理规范,明确各交易环节或过程安全要求,采取必要安全技术和管理措施,保护个人信息和客户敏感商业信息,保留交易相关日志,确保交易行为安全可靠。
网络安全宣传动画——保护个人信息防止泄漏
The report concludes: “IoT technology is rapidly evolving and growing in ways that greatly impact the U.S. and global economy, as are the threats associated with this technology.”
A spokesman for Latta’s office says it’s unclear if the working group on IoT will continue in the new Congress because House Energy and Commerce committee members are still being selected. “If the working group continues, the next phase would look at making recommendations. This first step was trying to bring people together” for education about IoT benefits and risks, he says.
Best Practices
The paper refers to a number of best practices recommended by others, including NIST, the National Telecommunications and Information Administration, the Federal Trade Commission, and the Department of Homeland Security.
The goal that roundtable participants and working group members shared “is mitigating cyber risks through a multitude of channels, including but not limited to adopting best practices and basic security measures, software updates, encrypted communication and mutual authentication and authorization,” the report notes.
“Depending on the vertical and nature of the device, vulnerabilities will differ; therefore, multifaceted approaches must be taken into consideration,” the paper states. “We must encourage continued open dialogue between the federal government and private sector as technology develops.”
The working group roundtables examined IoT issues in specific industries, including automotive, energy and healthcare.
For example, in reference to discussions about healthcare IoT, the report notes: “It also became evident that just like every other industry, participants in the healthcare sector view data protection, cybersecurity and privacy as top concerns and priorities. It was recommended by some roundtable participants that the industry continue to work to limit vulnerabilities by developing software and devices with security in mind rather than solely based on functionality.”
More to Do
The Congressional report comes as IoT cybersecurity threats grow. For instance, last year, a malware-infected army of 100,000 mostly consumer IoT devices was used to carry out a distributed-denial-of-service attack against domain name server provider Dyn.
While the report does not make specific reference to the Dyn attack, it notes: “Recent examples of cyberattacks on IoT devices have exposed not just the potential impact on individual consumers, but the possible vulnerability on the broader Internet infrastructure.”
The report notes that roundtable participants had differing viewpoints on how best to create an environment that promotes IoT while protecting consumers and networks. “They also grappled with whether or not a solution should rely on industry established standards, agency recommendations, legislation or a combination of all the above,” the report says. “Although the participants lacked consensus on the best way forward, all agreed that security and privacy issues are critical to address within this emerging technology. Some participants also emphasized that consumers need to do their part to protect data by securing devices through good cyber hygiene practices.”
Political Impact
Privacy and security attorney Stephen Wu of the law firm Silicon Valley Law Group says he thinks it’s unlikely that the new Congress will call for new regulations related to cybersecurity and privacy.
Still, government agencies could make several moves to help promote the importance of IoT cybersecurity, he contends.
For instance, the Food and Drug Administration, which has issued voluntary guidance for pre-market and post-market cybersecurity of medical devices, could require the device manufacturers to submit to federal regulators disclosures about how the makers implement cybersecurity practices for their products, Wu says.
Regulatory agencies, such as the FTC, could also exercise more muscle when it comes to enforcement actions against manufacturers that are potentially deceptive about the privacy risks or cybersecurity concerns of their products, Wu says. “FTC has authority to stop deceptive or unfair business practices. The problem is that the agency likely would need more funding” to ramp up those enforcement efforts, he says. “And it’s not likely they’ll get getting extra funding.”
Privacy attorney Kirk Nahra of the law firm Wiley Rein notes that IoT covers many “enormously challenging issues.”

For example, he notes: “IoT involves areas where personal data is being collected where there has never historically been a collection of personal data – such as connected cars, refrigerators. On top of that you add things like mobile apps and wearables – whether healthcare related or not.”
There is a constant tension between convenience and security, Nahra points out. “So we have massive security concerns because of the ‘interconnected’ nature of all these activities – and some history of large-scale breaches where weak links in these areas get into larger risks,” he says. “On the privacy side, this is a gap in our sector-specific regulation so far – many of these areas are simply not regulated today – unless you say something that is false and deceptive, and then the FTC can go after you.”
Because the new Congress is unlikely to consider any IoT-related regulations, Nahra says, “the challenge will then fall to the businesses developing these products to be smart and responsible, and for private industry to develop best practices and industry standards to protect both businesses and consumers in these areas.”
各部门要加强信息安全人才培养、增强全民信息安全意识,大力普及信息安全基础知识和基本技能,开展面向全社会特别是青少年的信息安全和法律法规教育,动员社会力量共同做好信息安全保障工作。

猜您喜欢

北大青鸟中关村IT培训提示莫把高考当成终点
全民网络安全意识教育策略与资源
中国企业走向世界,需融合全球安全文化,线上教程帮助您:
76.3%互联网不良信息涉淫秽色情 61.0%涉嫌传播不..
TIMEOUTDOHA ZMININGS
陆易Louis是知名的搜索引擎公司搜度SoDo公司的一名资深研发组长,看看他遇到了什么搜索算法问题,以及信息安全调查人员有什么发现。