Does everyone remember why the Department of Homeland Security exists? Among other things, that massive government agency was created because the private commercial airline industry was lackadaisical in addressing the terrorist threat in airports. September 11, 2001 was the result.
Well guess what? In one of the last FCC rulings under the Obama Administration, the FCC has issued a stern warning to private industry involved in the Internet of Things (IoT), saying basically, “Clean up your act or we will be forced to step in.”
The warning notes that the government will force commercial companies to institute protective procedures if action is not taken.
The FCC's Cybersecurity Risk Reduction White Paper, which was issued on January 18, 2017, expresses serious concerns about the “burgeoning and insecure IoT market [that] exacerbates cybersecurity investment shortfalls [because] the private sector may not have sufficient incentives to invest in cybersecurity beyond their own corporate interests.”
Noting that insecure wireless devices have shut down service to millions of users by attacking critical control utilities that are not FCC-regulated, the FCC is advocating “cyber accountability” — a combination of market-based incentives and regulatory oversight — to reduce cyber risk in the communications sector.
Security by Design
Certainly, the FCC is most worried about communications carriers, including Internet service providers primarily. But the IoT world, namely device manufacturers and vendors, would bear a large portion of responsibility.
The FCC proposes that IoT equipment suppliers should implement “security by design” practices to build cybersecurity into their products before marketing them. As defined by the FCC, security by design is “a practice of continuous testing, authentication safeguards, and adherence to best [cybersecurity] practices.”
The FCC hints that regulatory oversight of this process will likely be required, in part because of the “large and diverse numbers of IoT vendors — who are driven by competition to keep prices low — hinders coordinated efforts to build security by design into the IoT on a voluntary basis.”
Accordingly, the FCC states that, among other things, changes to its equipment certification rules may be necessary to protect networks from IoT device security risks.
The last sentence of the report says it all: “The Commission’s preference is to work collaboratively with industry using private/public partnerships. However, if market forces do not result in a tolerable risk outcome, the Commission has tools available to make adjustments to restore the balance.”
This warning is like a pre-9/11 document about Osama bin Laden. It should not be ignored, especially if it means there is a potential “9/11-like” cyber attack coming. The Consumer Technology Association (CTA) and other associations should immediately be engaged with the vendor community on this looming regulatory issue.
