A coalition of the Information Technology Industry Council, the Semiconductor Industry Association, the U.S. Chamber of Commerce Technology Engagement Center, Intel, and Samsung, recently released a report that puts out a call for the creation and implementation of a national strategy to invest, innovate and accelerate development and deployment of the Internet of Things (“IoT”). The report recognizes that IoT is an extremely valuable part of our nation’s fabric, as it will facilitate a fundamental transformation in society through safety improvement, greater private and public sector efficiency, and significant economic growth in all sectors.
According to the report, the launch of the coalition’s IoT initiative was fueled by a “call of a chorus of technology leaders seeking a forum to proactively coordinate and drive industry’s trusted advisor role in helping the United States to fully realize the vast benefits of IoT for economic and societal good.” Through a series of analytical recommendations, the report, among other things, sets forth a definition for the IoT, the importance of having the federal government involved as a leader in the development of a national IoT strategy, and steps for approaching security within the IoT.
Starting with the basics, the report recommends an adoption of a “broad-based” definition for future IoT strategy and policy. To allow for all forms of IoT to be recognized, the report’s definition simply states, “[t]he IoT consists of ‘things’ (devices) connected through a network to the cloud (datacenter) from which data can be shared and analyzed to create value (solve problems or enable new capabilities).” This definition captures billions of existing devices and importantly leaves room for the inclusion of technologies and devices that might be invented one day in the future.
On developing a workable national IoT strategy, the report stressed the need to enact the Developing Innovation and Growing the Internet of Things Act, legislation which would, according to the report, ensure that a “national IoT strategy” becomes a priority and provide a clear “national IoT vision.” IoT industry experts have found that a “[n]ational IoT Strategy is a much-needed first step to drive U.S. IoT leadership, and some of the most important elements of a national strategy will require affirmative action from Congress and the administration.” Going a step further, the report makes “strategic recommendations for the U.S. government to work with the industry to drive American IoT leadership” by creating “a policy and regulatory environment that will attract unparalleled private sector investment and innovation in the IoT, thereby modernizing the nation’s infrastructure, improving American manufacturing, and growing [gross domestic product].”
Security is another important area addressed by the report. According to the report, a “government-industry” collaboration is critical to improving the security of devices, data, networks and systems. IoT and security must be viewed in a “comprehensive manner,” the report notes, because security is an endless and evolving challenge to technology and “[t]here is no single ‘silver bullet’ in risk management and mitigation.” The “best” security policy would focus on the outcome rather than specific technologies or techniques because a specific requirement can “quickly become obsolete,” the report points out. Implementing this kind of security policy would be a “win-win proposition for makers, providers, and purchasers.” Therefore, the report concludes that future federal policies should be “flexible” as to encourage “ongoing innovation and best practices” for security.
On a related note, increasingly common security breaches can bring about the issue of liability. In fact, class action data breach litigation has increased significantly in recent years. In these actions, plaintiffs seek damages from the businesses that “failed” to provide sufficient data security. But, with the IoT, who should really be held liable? Many plaintiffs’ attorneys argue that all IoT businesses within the IoT “supply chain” should be held liable for damages arising from data breach and lack of security. Yet identifying and understanding exactly who is in the “supply chain” can be extremely challenging.
All in all, a nationally recognized, flexible and multi-stakeholder IoT policy can provide a “smart” solution to cybersecurity issues because “IoT risk mitigation is a constantly evolving, shared responsibility between government and the private sector.” Threat of IoT cyber attacks are not speculative, as we have seen a major wave of cyber attacks due to “vulnerable” devices that did not have sufficient security.
The coalition’s report is a critical framework for advancing the development of IoT in the United States. It is now incumbent on private industry as well as the federal government to implement many – if not all – of the report’s recommendations.