NTIA Participants Agree on Recommendations for Informing Consumers About IoT Security
Participants in an NTIA multistakeholder initiative to address IoT device security upgrades agreed to a final draft document that recommends what information manufacturers and vendors should convey to consumers before they buy a product. During a Tuesday virtual meeting, the group reached "consensus" on the draft, which recommended elements companies should consider in informing buyers about whether devices receive security updates; whether they're done automatically, by a user or professionally; and how long a device would receive such support. The draft talks about how a user should be notified about updates and what happens after a device is no longer supported. Harley Geiger, Rapid7 director-public policy, said that this document could become part of a larger government effort to deal with botnets and automated threats. He said the working group hasn't thought about a strategy for promoting adoption of the document but said it would be good to see it "in the wild" with some companies using it. The document was drafted by a working group in the NTIA-driven process, which has met three times since October. NTIA plans a Sept. 12 meeting in Washington to possibly reach consensus on other drafts presented by working groups on a catalog of existing IoT security documentation; technical capabilities of providing upgrades; and incentives for companies to provide updates.