As we have previously outlined in detail, sustainability management provides a useful conceptual framework for crafting forward-looking cybersecurity policy. A sustainable approach to cybersecurity involves, among other things, acknowledging that cybersecurity is a shared responsibility, framing business choices that prioritize security as investments, and engaging broadly in risk management practices. The Internet of Things (IoT) ecosystem has reached (or, arguably, passed) an inflection point in its development, and a sustainability-based security baseline for consumer-facing IoT is past due.
The National Institute of Standards and Technology (NIST) is well positioned to support the creation of a voluntary and flexible baseline that identifies the cybersecurity capabilities IoT device manufacturers should prioritize during product development to sustain the internet ecosystem. Executed properly, such a baseline (1) could be broadly adopted by IoT products manufacturers, (2) could serve as a model for international standards that advance U.S. security prioritization, and (3) could help transform the current culture of consumer fear, uncertainty, and doubt to one of consumer trust through follow-on assessments and awareness raising. Acting within its existing authorities, the executive branch must prioritize consumer IoT security. A NIST-lead IoT security capabilities baseline is a key component of a more secure and sustainable internet ecosystem.
The Consumer IoT Market is Unsustainable
IoT does not fit neatly into any one-size-fits-all definition. Reasonable distinctions may be drawn, however, between consumer IoT and industrial IoT. You’re likely to be familiar with some of the more popular consumer-facing IoT devices currently on the market such as fitness trackers and smart home devices. This rapidly growing IoT ecosystem faces numerous privacy and security issues, three of which are worth highlighting here. First, consumers lack basic knowledge and awareness of security threats and neglect to engage in proper cyber hygiene. Second, misaligned incentives and market failures have engendered a device market replete with unsecure products amounting to a vast new attack surface. Third, although NIST is currently drafting guidance on managing security and privacy risks within federal information systems, we lack a baseline for consumer IoT devices that reflects U.S. values. These problems illustrate the need for a more sustainable approach to consumer IoT, focused on best practices in IoT product manufacturing.
A NIST-Developed Security Baseline for Consumer IoT Can Support a More Sustainable Internet Ecosystem
The federal government has undertaken a series of actions to address the growing threat from interconnected systems used to monitor and control critical infrastructure. In 2008, the White House issued a comprehensive National Security Presidential Directive that focused primarily on federal network cybersecurity. Five years later, President Obama signed Executive Order 13636 to expand the government’s focus to support and enhance critical infrastructure security. Among the most useful outcomes of these efforts has been the development of the Cybersecurity Framework (CSF) Version 1.1. The CSF has been broadly adopted by both domestic and international industry.
Nearly ten years after the Comprehensive National Cybersecurity Initiative began, consumer-facing IoT is posing similar threats to the longevity of the internet. To be clear, the government has not been sitting on its collective hands in response to the challenges consumer IoT presents. NTIA has engaged in a multistakeholder process on IoT security upgradability and patching, and NIST is holding a July workshop on managing IoT cybersecurity and privacy risks for federal agencies. Nevertheless, a comprehensive baseline to support long-term risk management for IoT product manufacturers is lacking. NIST is well positioned to support the effort to create this consumer IoT baseline, similar to their work coordinating the CSF. NIST has legal authority under the Cybersecurity Enhancement Act of 2014, Executive Order 13800 provides the requisite policy direction, and NIST has a proven track record from overseeing the formidable CSF process.
A NIST-lead consumer IoT security capabilities baseline could provide a sustainable approach to solving three critical problems with the consumer IoT devices. First, it could replace the myopic first-to-market approach usually taken by device manufacturers with a secure-to-market framework that emphasizes sustainability principles – e.g., long-term investment, shared responsibility – and the forward-facing goals of scalability, flexibility, and interoperability.
Second, the baseline could serve as model based on shared security values that other countries could adopt. A sustainable, holistic approach to IoT device security will be truly global and collaborative. The U.S. has the opportunity to take the lead on sustainable cybersecurity by creating a consumer IoT baseline that could lead to the same kind of broad international adoption that followed the release of the CSF.
Third, and perhaps most importantly, a consumer device IoT baseline can help to shift the current culture of consumer fear, uncertainty, and doubt to a sustainable culture of consumer trust. As we note in our recent white paper, lack of consumer trust in internet privacy and security is deterring consumers from fully engaging in online commerce. This amounts to an unsustainable culture that harms innovation and growth. When it comes to consumer IoT specifically, product manufacturers have the opportunity to take the lead to restore the public confidence that is necessary to ensure the ecosystem’s long-term viability. This will only be achieved when IoT devices provide consumers with a baseline level of privacy and security. A NIST-developed security capabilities baseline is a good first step to reach this goal.
Following release of the baseline, relevant agencies and market participants can use it to assess products against, and to raise consumer awareness about the need for, and benefits of, a more secure consumer IoT. The development and adoption of an IoT security capabilities baseline together with other ongoing government and private sector-led efforts will bring us closer to achieving the widespread recognition of cybersecurity as a shared responsibility that is critical to a sustainable internet ecosystem.
 It should be noted that building the CSF was a significantly time and labor-intensive process. To the extent that NIST lacks the resources to effectively oversee the creation of a new baseline, Congress needs to step in and provide the agency with the adequate resources.