As we drift through the last weeks of the Lame Duck session, the 115th Congress and New Administration lie ahead. Anticipating the many issues likely to cross the desks of legislators and regulators in early 2017, technology and innovation should be at the top of their priority list. Previously, I discussed the opportunities presented to them by the potential for airspace and exospace reform and the benefits of artificial intelligence, robotics, and automation. This week, I’ll discuss another hot button emerging technology that legislators will undoubtedly be pressed to confront in the new year: the Internet of Things (IoT).
The Security of Things
Last month’s distributed denial of service (DDoS) attack originating with the Mirai botnet, which briefly brought down sites such as Twitter and The New York Times, has brought the issue of security in online devices to the fore of discussions surrounding the IoT. I proposed a number of recommendations to concerns over IoT insecurity in a previous blog post, which remain as relevant as ever. They include:
- Regulators and Policymakers: Congress and regulatory agencies should ensure ongoing innovation in the cybersecurity ecosystem by refraining from placing undue regulatory restrictions on CDNs. This includes denying them intermediary liability protections when it comes to copyright infringement claims.
- Cybersecurity Insurance: Underwriters should focus more on valuing whether and/or to what extent insurable firms utilize security products and services, especially given how little emphasis is placed on encryption.
- The IoT Industry: Firms operating in the manufacture of IoT devices need to take a more proactive approach in addressing potential security concerns in both hardware and software. Industry-led standards should be a top priority for industry, utilizing comprehensive third-party validators like the Online Trust Alliance. If they do not, trust in this emerging market will falter, and regulators and/or Congress will undoubtedly be forced to action.
- In General: We need to focus on cybersecurity as a “service,” not a mandatory obligation. There are no silver bullets to the problem of cybersecurity, but there are learning experiences, and we should treat each breach, attack, and intrusion as an opportunity to learn from mistakes, not create new ones with knee-jerk regulations.
Although a wide array of other recommendations have been proffered—everything from developing anti-malware viruses that troll networks and disable insecure devices to federally financed cybersecurity insurance—the most effective mechanism for addressing insecurity in the IoT will rest on allowing many solutions to bloom in parallel. The National Institute for Standards and Technology, for instance, released technical guidelines for securing many of these systems (arguing for “security by design”) and the Department of Homeland Security recently unveiled its own report that details principles for securing the IoT. Most importantly, the standards and guidelines must remain non-binding in order to avoid a technological race to the bottom, where companies fail to continually improving their products’ cybersecurity because government, not the market, mandates a set of technical standards. The floor, in effect, becomes the ceiling, because industry is no longer incentivized to do any less, or more, than mandated by statute. Such an approach is likely to stonewall cybersecurity innovation that might otherwise have flourished as it has in other sectors (for example, the emergence of content delivery networks as services for added website security).
Rushing to regulate without duly weighing actual harms against actual benefits could be a death knell to this industry. As Adam Thierer, senior research fellow with the Mercatus Center, put it in his comments to the National Telecommunications and Information Administration (NTIA): “Smart technologies require smart regulations.”
One Framework to Rule All Others
Perhaps more than other emerging technology issue, the IoT presents unique challenges and hurdles for would-be regulators. The sheer complexity of the market segments involved makes enacting laws and rules that don’t hamstring innovation notoriously difficult. (See AT&T’s comments filed to the NTIA for a brief glimpse at the complicated and overlapping markets involved.) As a result, the best path forward for advancing the IoT necessitates a flexible, adaptive, and responsive regulatory framework. The best policy framework thus far produced and applied to the fast-paced innovation economy came from the Clinton Administration back in the late 1990s: the Framework for Global Electronic Commerce.
To guide the nascent IoT industry and federal regulators, the Niskanen Center forwarded this same framework, slightly amended, in its own comments to NTIA as the one framework to rule all others guiding the IoT, and emerging technologies more broadly. The following suggestions helped guide the development of the commercialized Internet, and can do the same for the IoT:
- “The private sector should lead.” The framework specifies that “governments should encourage industry self-regulation wherever appropriate and support the efforts of private sector organizations to develop mechanisms to facilitate the successful operation of the” IoT. “Even where collective agreements or standards are necessary, private entities should, where possible, take the lead in organizing them.”
- “Governments should avoid undue restrictions” on the IoT. “Unnecessary regulation of commercial activities will distort development of the electronic marketplace by decreasing the supply and raising the cost of products and services for consumers. … [G]overnment attempts to regulate are likely to be outmoded by the time they are finally enacted, especially to the extent such regulations are technology-specific. Accordingly, governments should refrain from imposing new and unnecessary regulations, bureaucratic procedures, or taxes and tariffs on commercial activities that take place via the” IoT.
- “Where governmental involvement is needed, its aim should be to support and enforce a predictable, minimalist, consistent and simple legal environment for commerce.” The framework specifies that “where government intervention is necessary to facilitate” the development of the IoT, “its goal should be to ensure competition, protect intellectual property and privacy, prevent fraud, foster transparency, support commercial transactions, and facilitate dispute resolution.”
- “Governments should recognize the unique qualities of the” IoT. “Regulation should be imposed only as a necessary means to achieve an important goal on which there is broad consensus. Existing laws and regulations that may hinder electronic commerce [and the continued development of the IoT] should be reviewed and revised or eliminated to reflect the needs of the new electronic age.”
The government can be an effective partner in assisting the growth of this industry by promoting programs intended to spur the deployment and adoption of the IoT. Initiatives, such as the Department of Transportation’s Smart Cities Challenges and legislation that helps fund technological deployment can, in narrow circumstances, be beneficial to the development of this ecosystem. Additionally, supporting a national policy framework that unifies the various would-be regulatory agencies’ positions on IoT will help minimize regulatory burdens, while providing the needed certainty to ensure innovation is not stifled. (The DIGIT Act, currently with the Senate Committee on Commerce, Science, and Transportation, is a good first step in this direction.) Otherwise, we’re bound to see a hodgepodge of unworkable, and confusing, regulations across numerous federal agencies claiming jurisdiction.
Why the Time For Action is Now
The Mirai botnet attack is likely just the beginning of a new era of DDoS attacks. The IoT has created an ecosystem where the “tragedy of the commons” seems, at first glance, to be the new norm of the cybersecurity landscape. If industry doesn’t take the lead in producing strong self-regulatory mechanisms for addressing these concerns, Congress or the new Administration undoubtedly will. In addition, the emergence of a robust and sometimes perplexingly complex and vast market of IoT devices means regulators are likely to be at a considerable disadvantage for addressing potential harms that emerge. But Congress and agency officials must be wary of knee-jerk proposals for the IoT, otherwise the impact on innovation and economic growth could be profoundly negative.
Now, more than ever, legislators and the executive must take the lead on this issue—not by regulating the IoT to death, but by embracing the regulatory Hippocratic Oath: first, do no harm. They should enshrine the principles of the Framework for Global Electronic Commerce as the guiding policy for IoT legislation and regulation, and refrain from falling victim to regulatory hubris. Otherwise, ill-conceived rules and mandates precipitated by the next cyber attack could spell the end of an emerging technology that holds the potential to massively benefit the economy and society.
Through 2017 and Beyond
Congress and the New Administration have an opportunity to enact positive, light-touch legislation that can help speed development of the IoT in the coming year. Passing the DIGIT Act would go a long way towards ameliorating market uncertainty, while positioning the federal government to capitalize on incorporating IoT systems for its own benefit. Even more importantly, the government and regulators can show policy leadership and continuity by embracing the same restrained framework that helped transform the Internet from an esoteric hobby horse into the global economic powerhouse driving the modern digital economy. By committing to the Framework for Global Electronic Commerce as the basis for Administrative policy, developing a national strategy for driving innovation and deployment, and prioritizing the promulgation of self-regulating standards, the government can help catalyze the benefits of the IoT for all Americans.
Stay tuned next week for the fourth issue policymakers need to focus on in 2017: data innovation.