A new Internet of Things (IoT) security and privacy policy statement has emerged, this time a potentially wide-reaching set of principles springing from the Association for Computing Machinery U.S. Public Policy Council (USACM) and its counterpart, the ACM Europe Council Policy Committee (EUACM).
Beyond the statement’s specifics (we’ll get to that in a moment), the underlying thinking is interesting: Policies and technologies to tackle the IoT's privacy and security challenges must complement but not impede its advancement.
In other words, let’s not stall the car while we make sure the roads are safe--the two must support one another. That may sound simple enough but actually it’s not. The number and variety of IoT stakeholders is significant--including government officials, academia, industry, nonprofits, technical experts, and consumer advocates—and you know what’s said about too many cooks in the kitchen.
The bottom line, said the agencies, is that the stakeholders must work with one another and coordinate their efforts across borders. The agencies also suggested that cementing in consumers’ minds that the IoT is safe and their privacy will be protected must be factored in when framing policies.
IoT Security and Privacy Policies: The Highlights
You can read the two-page document here. Otherwise, the high notes are these:
- Support privacy and security throughout the IoT device lifecycle, including continuous, reliable device operation and regular patches, upgrades and software updates.
- Develop new technologies to support IoT privacy and security, such as flexible access control and advances in cryptography and encryption.
- Protect consumer data by addressing data ownership, building consumer awareness about privacy and data sources and protecting data integrity.
- Foster cooperation among stakeholders through promoting an interdisciplinary approach to trust and encouraging coordinated efforts among stakeholders.
IoT Security Policies: Deja Vu?
It's hard to say if it's coincidence or telling that two IoT security and privacy position statements have been released nearly side-by-side within two weeks of one another. In the earlier instance, three semiconductor companies and the European Union (EU) Agency for Network and Information Security (ENISA) offered up their jointly-developed ideas on IoT cybersecurity and privacy.
The silicon collaborators–namely, Infineon, STMicroelectronics and NXP–produced a five-page document that detailed a roadmap of suggestions and challenges for EU cybersecurity policy makers, suppliers and partners. To a degree, their positions were fueled by what they observed to be the market's failure to produce cost effective, workable security and privacy solutions.
The USACM and EUACM made no such mention of market forces, instead preferring to confine themselves to overriding policy statements.
Nevertheless, with two IoT security and privacy policy statements surfacing in such rapid succession, it will be revealing to see if security and privacy issues are amoebae-ing organically to the Internet of Things (IoT), or a sharpened sense of immediacy is prompting declarations ultimately aimed at safeguarding connected devices.