The FCC Suggests Some Wishy Washy, Highly Unlikely Solutions To The Poorly-Secured Internet Of Things

by
Karl Bode
from Techdirt on (#250EN)
Story ImageSo we've noted how the surge in the internet-of-poorly-secured things has put us all at risk by introducing thousands of new attack vectors in homes and businesses around the world. We've also noted that the rise of these not-so-smart cameras, toys and hackable tea kettles has resulted in a spike in larger DDoS attacks than we've ever seen before, as these devices are compromised and used maliciously within minutes of being connected to the internet. Many security experts have started to warn us that it's only a matter of time before the check comes due, potentially involving infrastructure failure and mass fatalities.

Rather unsurprisingly, this has lead to a renewed call for some kind of regulation to hold gear-makers accountable for shipping poorly-secured product. So far, however, the most we're seeing on the policy solution front are relatively shallow missives pushed by folks like the Department of Homeland Security. The DHS's "non-binding strategic principles" recently included such recommendations along the lines of "hey, guys, maybe some of you should actually probe your product for vulnerabilities before shipping it to consumers?" and "uh, perhaps companies should think about security a little bit during the product design phase?"

FCC boss Tom Wheeler also appears to be vaguely exploring the idea of regulating the internet of things space with an eye on avoiding an IOT-induced cyber-apocalypse. In a letter by Wheeler to Senator Mark Warner (pdf), Wheeler advocates an FCC-mandated cybersecurity certification process for IOT devices, as well as a system to apply "consumer cybersecurity labels" for IoT devices and associated services. In the letter, Wheeler argues that this is one scenario in which industry self regulation hasn't worked, and may not work down the road:
"I do, however, share your concern that we cannot rely solely on the market incentives of ISPs to fully address the risk of malevolent cyber activities. As private actors, ISPs operate in economic environments that pressure them to not take those steps, or to take them minimally. Given the interconnected nature of broadband networks, protective actions taken by one ISPagainst cyberthreats can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to take such protections. Cyber-accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively."
Wheeler's responding to an October letter from Warner regarding the Dyn DDoS attack, which was fueled by IOT devices. But like the DHS's recommendations few companies will actually follow, Wheeler's letter similarly leans heavily on ambiguities and lip service, while realizing the FCC's precarious current position. Buried under some oblique references to the FCC's Open Internet Order (Wheeler really only says that ISPs can manage these threats without running afoul of net neutrality), the baseline message is that industry needs to step up and fix its own problem:
"In 2014, I initiated a new paradigm for how the FCC would address cybersecurity for our nation's communications networks and services. I stated that it begins with private sector leadership that recognizes how easily cyber threats cross corporate and national boundaries and that, because of this, the communications sector must step up its responsibility and accountability for cyber risk management."
While stories like this one over at Morning Consult engage in a lot of hand wringing about the FCC engaging in regulatory over-reach, there's little to no actual chance of Wheeler's ideas actually being implemented. Wheeler is set to step down as chairman on January 20, and Trump's incoming telecom advisors have made it abundantly clear their top priority will be not only eliminating the FCC's net neutrality rules, but working to defang and defund the agency. The GOP is also cooking up a Communications Act rewrite now that it has Congressional and White House control that will similarly aim to hamstring the regulator.

A defunded and weakened FCC will likely be in no position to dramatically expand its authority into regulation of internet of things devices. In fact, it will likely mean the erosion of many FCC rules that already exist now. In other words, when it comes to IOT security we're going to be exactly where we started: waiting for gear makers to step up and take some responsibility for the fact they're laziness has left us all immeasurably less secure, while bickering over whether regulatory over-reach on security could hinder the innovation in the IOT market.

Meanwhile, it's going to take a dramatic IOT-fueled incident of dysfunction and disaster before we stop doing the bare minimum, and begin taking the entire problem more seriously.

Permalink | Comments | Email This Story
External Content
Source RSS or Atom Feed
Feed Location https://www.techdirt.com/techdirt_rss.xml
Feed Title Techdirt
Feed Link https://www.techdirt.com/
Reply 0 comments