Remarks of David J. Redl
Assistant Secretary for Communications and Information
The 6th Annual Internet of Things Global Summit
Washington, D.C.
October 5, 2018
-- As Prepared for Delivery --
Thank you and good morning.
For the past few weeks, leading up to the 5G Summit hosted by the White House last week, I’ve been talking a lot about the Administration’s commitment to putting America first in the race to 5G, and how our success would unleash a new wave of innovation. It’s at conferences like this where that wave begins to take shape.
But there a few things we have to get right first, including the speedy rollout of secure, ubiquitous 5G across the country. 5G will greatly expand the capabilities of wireless networks, allowing for nearly universal connectivity of people and machines. Without nationwide 5G, the Internet of Things won’t come close to reaching its full potential.
The Trump Administration is taking a comprehensive approach to help make America’s 5G leadership a reality. One of our top priorities at NTIA is making enough spectrum available to meet industry’s needs. We’re working across multiple fronts to make spectrum available, coordinating with industry, federal agencies and the Federal Communications Commission.
We’re also removing obstacles to the deployment of wireless and other broadband infrastructure, through an interagency working group that we co-chair with the Department of Agriculture’s Rural Utilities Service. This infrastructure will form the backbone of our nation’s 5G services.
At the direction of Congress, NTIA is also undertaking an effort to improve the data underlying the nation’s broadband map, so we can better address concerns about gaps in broadband availability, particularly in rural America.
As important as those issues are, as I see it, the biggest challenge to the advancement of IoT is cybersecurity. If we want to realize the innovation and growth promised by IoT, we must ensure that Americans can trust the devices that they’re using.
IoT presents a different challenge than securing smartphones or home computers. Many people do not think of their thermostats, lightbulbs, cars, or appliances as digital devices that may carry cybersecurity risks. At the same time, many manufacturers that haven’t previously had to deal with software vulnerabilities are suddenly finding themselves in the center of a complex ecosystem.
NTIA is working across the federal government, with stakeholders here and around the world, to promote smart IoT policies that incorporate security and protect American consumers.
Mitigating threats and securing IoT
Improving the resiliency of the Internet has been a priority from the beginning of the Trump Administration. One of the first Executive Orders issued by President Trump was designed to better secure federal networks and critical infrastructure. As part of that order, the Departments of Commerce and Homeland Security were asked to begin a process that would dramatically reduce the threat of botnets and similar attacks.
Together with the Department of Homeland Security, the Department of Commerce spent a year working with stakeholders to map out an ecosystem view of the problem. In May, we submitted a report to the President that included five top-line goals and more than two dozen action items. Since then, we have been working to turn that report into an actionable roadmap which will help us to track our progress and prioritizes these actions – some of which have already begun.
As one example: This summer, we brought together stakeholders from different sectors, representing both vendors and enterprise customers, to discuss the merits of greater transparency around software components. The idea is that you have to know about any vulnerable components in your connected products if you want to keep them secure.
Stakeholders have identified several work streams addressing both technical and policy aspects of this issue. While there is widespread interest in making progress, there’s also a recognition that solutions must be both comprehensive to take advantage of scale, and flexible enough to meet the needs of certain sectors. We’ll be hosting an in-person meeting in Washington D.C. on November 6 for participants to share their progress.
Why the multistakeholder model works
The process is another example of our commitment to the multistakeholder model of Internet governance and policy development. The track record here is clear: When the government plays a convening role, and policies are created through bottom-up, consensus-based processes, the open and stable Internet is preserved and innovation is advanced. Why is this so important? Because as we know, it is our technological edge that has not only kept our economy strong, but our country safe.
NTIA has convened multistakeholder processes to build consensus and make progress on a number of issues. Last year we convened a collaborative effort between IoT manufacturers, security experts, and other IoT stakeholders that produced recommendations and guidance on how to make sure that connected devices were patchable. Prior to that, we worked on improving coordinated vulnerability disclosures.
Looking forward, technology is becoming more complex, connected and central to our lives, and that raises the stakes. Right now, a bug can cause a computer to crash. But what about when it causes a car to crash? It’s likely that we’re going to hear calls for government to step in and impose significant regulations.
From NTIA’s perspective, that’s not the right approach. Especially if we want to continue to foster the ingenuity we see emerging in this nascent sector. By applying stakeholder-driven policymaking processes as an alternative, we can achieve actionable controls and practices across the ecosystem and at the operational level that account for both the complexity of today’s digital ecosystem, as well as the speed at which bad actors attack and evolve.
Working with the owners and operators who are on the front lines, we can understand what the barriers are to making the ecosystem a safer place. Concerns over liability? Inertia? Lack of awareness or market incentives? If we can properly diagnose what’s blocking progress, we can ensure that the outcomes of these processes are targeted and able to be implemented.
That said, these processes won’t work if we can’t get the right players to participate. In cybersecurity, there’s a natural incentive for all stakeholders to come to the table, because no one can operate unless the ecosystem is stable and secure. But we still find ourselves needing to give certain groups a nudge to play ball. Our message is straightforward: We need everyone to work together to solve this problem, and we won’t be able to do it without you.
So if you’re a consumer advocate, or a software company, or a chip manufacturer, or an Internet engineer – if you have any stake at all in a more secure Internet, then please join us at the table. We value your perspective.
And if you come to the table ready to argue, that’s OK too. We expect it. By working through arguments we can get closer to uncovering where our interests overlap. That is our sweet spot – when we hear various stakeholders agree and say, “Yes, that is something we need to move forward.” And that meeting of the minds is where we begin to build cooperation and consensus.
When you take on difficult problems, it’s often best to start at a fundamental place. Take NTIA’s work on vulnerability disclosure. The agency brought together vendors, the research community and various vertical industries, including auto manufacturers and health care firms, and the only goal was to find a way to make things better. How can we improve relationships, build trust, and fix more vulnerabilities in a coordinated way?
The stakeholders led the way – they formed the focus groups and the agenda, and they decided what was achievable.
In our vulnerability disclosure process, one group decided to do a survey to dig into why various stakeholders make the decisions that they do. One of their findings, which they reported back to the larger group, was that 70% of security researchers were concerned primarily with receiving communication about the status of the security risk, as opposed to seeking a payout. This was something of a revelation for those companies and industries that had previously viewed researchers with suspicion. In their minds, what had once been viewed as a shake-down now looked more like an invitation to collaborate.
As the process continued, we were able to dispel further myths and make progress on recommended guidelines, as well as form a policy template that safety industries could use to announce their coordinated vulnerability disclosure policy. That template policy now serves as a guide across multiple industries.
Our ultimate objective with all of our processes is to foster a more resilient ecosystem through market-based cybersecurity solutions that are created by the very people who can implement them.
Seeking input on privacy
Of course, security is only part of the equation as we move toward a more connected world. We’ve also seen major national conversations around the issue of data privacy. NTIA research from last year shows that nearly three-quarters of Internet users had significant concerns about security and privacy risks, and a third said those concerns led them to avoid some activities.
The Department of Commerce, at the direction of the White House, recently asked the public for ideas on how to adapt privacy to today’s data-driven world. Our hope for this process is a result that will provide legal clarity, flexibility to innovate, and high levels of consumer protection.
The United States has a long history of protecting individual privacy. Under American leadership, with an approach that allows privacy and prosperity to flourish, business and consumers will be able to act with confidence and certainty.
The Internet of Things is very much in its infancy. 5G is still on the horizon, and we’ve only started to work through potential use cases for connected technology. A study last year predicted that, between 2017 and 2035, more than a trillion IoT devices will be built.
I think it bodes well for our connected future that we’ve been able to get ahead of some the issues that will only grow more important as IoT matures.
As more challenges arise, we must continue to keep our eye fixed on the future. We can build in controls to address risks, but we must be careful not to overreact and stifle the rich innovation happening in the IoT world today. The best approach is to build awareness, improve transparency and create incentives for firms to innovate around secure practices.
For decades, America’s technology sector has been bringing its ingenuity and experimentation to bear on problems big and small. It’s that same ingenuity that we need to rely on to make these IoT products more secure. Our plan at the Department of Commerce is to find any way we can to foster innovation, protect the larger ecosystem, and build a market for secure products and services that can make our lives better every day.