Consumer Electronics Daily was a Warren News publication.
Parallel to NIST Effort

Tech-Communications Group Expects to Publish IoT Security Standards Document in Q3

A tech-communications industry coalition plans to publish a white paper this quarter proposing baseline IoT security standards, said CTA Vice President-Technology and Standards Michael Bergman Tuesday. The document for the so-called C2 Consensus on IoT Device Security will parallel similar IoT baseline setting efforts (see 1908010054) from NIST, he said during a workshop at agency headquarters.

CTA is managing C2, hosted by the Council to Secure the Digital Economy (see 1812190037). CSDE membership includes USTelecom, AT&T, Verizon, Intel, CenturyLink, IBM, Oracle, the Information Technology Industry Council, Samsung and Cisco. Individual organizations are reviewing a draft approval copy of the white paper, Bergman told us. Informal discussions also continue with NIST, alongside the agency’s public process, he said. NIST is collecting comments through Sept. 30 on draft cybersecurity feature recommendations for IoT devices.

C2 is ultimately producing a business-to-business document, Bergman said. It’s expected to facilitate technical standards for retailers, so they have guidelines to operate under the same standards as manufacturers, for example.

NIST’s cybersecurity draft is a great, small-subset baseline that’s in the “sweet spot,” said CTIA Cybersecurity Director Rob Cantu. It closely aligns with various baselines and guidelines from the wireless industry, he said.

IoT has tremendous economic value, but it needs securing, said NIST Information Technology Laboratory Deputy Director Jim St. Pierre. The effort's success will depend on stakeholder collaboration, he said. CTA would be comfortable having one global standard “to rule them all,” Bergman said. He anticipates harmonization as well as “splintering” over time.

Third-party standards enable the FTC to sue entities that violate FTC Act Section 5 rules on unfair and deceptive practices, said Privacy and Identity Protection Division attorney Kevin Moriarty. A company's failure to comply with its promised standards helps the agency build a case, he said.

Moriarty noted Section 5 is difficult to apply to modern technology. The commission in 1938 got authority to police unfair and deceptive practices using civil penalties. “Congress wasn’t thinking about network security” then, he said, acknowledging current industry frustration. Companies thrive when they have more certainty from enforcers, he said. He cited Vizio (see 1810050048). Now that it's under order, companies buying TV viewing data have confidence that purchasing that information won’t subject them to liability, he said. “Companies probably want more certainty from the FTC.”

Consumers also want certainty, Bergman said: For the smart home product market to expand, they must trust what they’re buying. A recent NIST survey of some 40 smart home device users showed consumers will sacrifice privacy and security for convenience, despite concerns about the former, computer scientist Mary Theofanos said.

ITI recommends “identifying a common set of best practices and secure capabilities that are broadly applicable and driven by global market demand,” Senior Manager-Policy Alexa Lee blogged Tuesday. Implementing a “consensus baseline” based on international standards and supported across industries “will facilitate more effective government-industry collaboration,” she said. Lee warned against a standards patchwork.