The Internet of Things (IoT) offers a wide range of consumer benefits – from the ability to control your thermostat or light fixtures through a smartphone, to an Internet-connected home security system, to wearables such as Internet-connected fitness bands and watches and beyond. To help realize the full innovative potential of IoT, users need reasonable assurance that IoT devices and applications will be secure.
One particular area of concern is whether and how to address potential security vulnerabilities in IoT devices or applications through patching and security upgrades. In the early IoT market, there has sometimes been limited consideration for supporting future security patches, even though many devices will eventually need them. Enabling a thriving market for devices that support security upgrades requires common definitions so consumers know what they are getting.
Currently, no such common, widely accepted definitions exist, and manufacturers can struggle to effectively communicate to consumers the security features of their devices. This is detrimental to the digital ecosystem as a whole, as it does not reward companies that invest in patching and it prevents consumers from making informed purchasing choices.
A range of commenters on NTIA’s recent IoT Request for Comment and last year’s Request for Comment related to cybersecurity identified security upgradability as an issue that required attention and coordination. In response, NTIA is planning to launch a new multistakeholder process to support better consumer understanding of IoT products that support security upgrades. We have utilized this approach to help make progress on issues such as cybersecurity vulnerability disclosure and providing more transparency about data collected by mobile apps. Given the burgeoning consumer adoption of IoT, the time seems ripe to bring stakeholders together to help drive some guidelines to encourage the growth of IoT.
The goal of the new multistakeholder process will be to promote transparency in how patches or upgrades to IoT devices and applications are deployed. Potential outcomes could include a set of common, shared terms or definitions that could be used to standardize descriptions of security upgradability or a set of tools to better communicate security upgradability.
As with our other multistakeholder processes, it will be up to stakeholders to determine what outcome they want and when they have reached consensus on it. NTIA will act as a neutral convener. We welcome broad participation and diverse perspectives. For more information, and to indicate your interest in participating, please contact NTIA. Stay tuned for an announcement on the first meeting of this new process, which we hope to convene in early fall.