The Federal Trade Commission (FTC) has a clear, concise message to IoT (Internet of Things) device makers: Inform consumers on how you intend to secure your products, maintain security with regular updates, say how you will deliver the patches, and disclose the date when support for your devices will end.
What’s the occasion for the FTC’s suggestions? The agency has made public its input on guidance offered by a working group of security stakeholders assembled by the U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) for IoT device makers.
If you want to read the FTC’s comments in its entirety, they’re here.
And, if you want to read the stakeholders’ draft guidance, entitled Communicating IoT Device Security Update Capability to Improve Transparency for Consumers, they’re here.
FTC Advice to IoT Device Makers: Summarized
The long forms aside, here’s the FTC’s abridged version:
The end goal is to provide IoT device makers with a roadmap to best inform consumers about their security policies so potential buyers can make sound decisions. The FTC’s comments suggest modifications on what the NTIA’s committee categorized as “key elements” for manufacturers to consider.
In acknowledging that device security tops the list of consumers’ concerns--specifically hacker attacks--those “key elements” include:
- If the device(s) will receive security updates
- How consumers will get the patches
- End-of-life security dates
“To combat such threats, security researchers and government agencies have emphasized the importance of taking reasonable steps to design secure products and to maintain their security with updates that patch vulnerabilities in the firmware powering IoT devices,” FTC officials wrote.
Among the suggested changes, the FTC also recommended that manufacturers consider telling consumers upfront if a “smart” device will lose basic functionality after security support ends. In addition, the agency suggested that consumers should be informed on whether a traditional, not “smart” device would have a longer, safer lifespan.
Amid its ideas, the FTC admitted that IoT device makers face somewhat of a teeter-totter balancing with securing their devices:
“Poorly-secured IoT devices create opportunities for attackers to steal data or assume device control, harming both device owners and third parties targeted by ransomware or botnets of “zombie” devices.
“In deciding whether and how to patch devices, manufacturers must balance the benefits of safeguarding against various threats with the considerable costs of developing, testing, and deploying software updates.”
IoT Cybersecurity Recommendations: Multiple Parties Weigh In
We should expect to see a number of documents such as the FTC’s emerge offering security standards, regulation and guidance, particularly for the IoT.
We’re already seen three prominent chip makers and the European Union (EU) Agency for Network and Information Security (ENISA) offering up what they called a “common position” on IoT cybersecurity and privacy.
In addition, earlier this month the Association for Computing Machinery U.S. Public Policy Council (USACM) and its counterpart, the ACM Europe Council Policy Committee (EUACM), hammered out a security and privacy policy statement. Together they agreed that policies and technologies to tackle the IoT’s privacy and security challenges must complement but not impede its advancement.