The US Department of Homeland Security has announced plans to make the internet-of-things just a bit more complicated – by trying to shove itself into the market with a new security framework.
On Thursday, assistant secretary for cyber policy at the DHS Robert Silvers told the Security of Things Forum in Cambridge, Massachusetts, that his department had decided to develop "a set of strategic principles" for IoT manufacturers that would ensure that security is built into future products.
While no one is going to disagree about the need for drastically improved security in this market, there are already a number of other government departments working on the issue, including the Federal Trade Commission (FTC), the Department of Commerce, and the Department of Transportation – begging the question why the DHS should get involved at all.
Forum attendees asked as much, leading to a textbook demonstration of Washington willy-waving.
The industry, according to Silvers, is demanding that IoT security is tackled "from a DHS perspective," meaning a focus on public safety. And then he damned other government departments' efforts with faint praise.
"This is complex stuff, but it's not going to be regulatory or over prescriptive, it's not even going to be highly technical," he argued. "What we're going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public's attention."
Previous guidance from the National Telecommunications and Information Administration (NTIA) and FTC will "factor into" the DNS' principles, he said, noting that in his view they "haven't stuck" with the market.
Is that right?
That will come as something of a surprise to the NTIA – which is running a special one-day meeting next month in Austin, Texas, on IoT "security upgradability and patching." The NTIA has also been working on IoT issues and holding industry meetings for the past 18 months.
Likewise the FTC, as part of a broader push to improve privacy and security in new apps and products, has been working for a number of years on principles and best practices.
The DHS's current plan seems to be little more than shoving their foot in the door: Silvers could not give a timetable for the principles, or even a consultation plan. He didn't highlight specific areas of concern, or point to the direction the DHS is expected to take.
Also, more worryingly, he suggested that it would be the DHS itself that developed the principles, reviewing them internally and then providing them to the market for review. Something that government agencies that have been dealing with the disparate and complex IoT market would tell you is a virtual guarantee that they "will not stick."
"We have a small and closing window of time to take decisive and effective action," Silvers said, according to Threatpost – although it was unclear whether he was talking about the DHS or the market.
"The challenge of addressing IoT security is outweighed only by the greater challenge of patching, or building on the security of already deployed systems," he said, seemingly not referring to the NTIA meeting next month. "While some of this may sound like common sense, it's an undeniable fact that some companies are not being held accountable," he added, apparently not talking about the FTC.
"The longer we deliberate, the further ground we're going to have to recover, so let's all get together with focus and resolve, because at the end of the day we want a future that's innovative but secure," he concluded, possibly reading from the same speech he'd delivered at DHS headquarters the previous day. ®