Three principles for getting IoT security policy right

The Internet of Things holds promise for public and private sector, if we can secure it

Recently, the National Telecommunications and Information Administration (NTIA) released a “green paper,” discussing approaches that the U.S. Department of Commerce could take for fostering the advancement of the Internet of Things (IoT).

The paper recognizes the myriad potential benefits of IoT, such as safer highways through connected vehicle technologies, improved health outcomes through remote monitoring devices and telehealth practices, and more efficient cities by leveraging energy usage data from sensors and other devices.

However, the green paper also recognizes some of the technology and policy challenges inherent in the IoT landscape, key among them being cybersecurity.

Securing the IoT

At CA Technologies, we like to think of the Internet of Things as the Identity of Things. Identity-centric cybersecurity will play a key role in the assurance of IoT. In a world with an estimated 50 billion connected devices by 2020, organizations will need to be able to authenticate and secure the devices, applications, and back-end data systems that support the IoT, and ensure the integrity of the data that is transmitted between them.

This was a key point CA Technologies made in its response to a Request for Information from the NTIA last June, and we were pleased our policy recommendations were referenced in their IoT green paper.

Policies to get IoT security right

So what are the key policy principles that global governments can follow to help enable our connected ecosystem to flourish in a safe and secure fashion?

First, governments can engage stakeholders through public private partnerships to promote IoT development, security, and privacy while allowing for technological innovation.

The National Institute of Standards and Technology (NIST) Cyber Physical Systems Public Working Group is a great example of these kinds of partnerships. CA is currently partnering with NIST and other industry stakeholders on an IoT-Enabled Smart Cities Framework to help both cities and smaller communities embrace IoT technologies to bring benefits to their citizens.

Second, policy and regulatory flexibility will be increasingly important in the development and security of the IoT. CA supports technology-neutral, outcomes-based policies that enable stakeholders to choose from a variety of options to address their development, management, security and privacy challenges.

The NIST Framework for Improving Critical Infrastructure Cybersecurity is a great example of this policy flexibility in practice, allowing organizations to address their unique cybersecurity challenges in ways most appropriate for them. CA Technologies is among a multitude of businesses, states and localities that are leveraging the Framework to improve their security posture, while also continuing to drive innovation.

Third, governments need to consider the global context of the IoT ecosystem when developing policies.  There is a significant risk that global governments, Federal agencies, and state governments will develop multiple, distinct and overlapping compliance regimes for IoT technologies.

This policy fragmentation can force IoT technology developers to focus resources on compliance, potentially inhibiting them from competing in certain markets. Lack of competition limits consumer choice and stifles innovation. We believe governments should embrace international, market-driven standards, allowing technology providers to focus resources on innovative security solutions that can scale for the global marketplace.

Industry must lead

Ultimately, industry needs to play the lead role in enhancing the security of the IoT ecosystem. We need to place critical importance on adopting security by design principles in software development practices.

I highlighted that point in a recent interview I did with Government Matters on Federal opportunities to leverage IoT technologies. At CA Technologies, we refer to this approach as Secure DevOps or DevSecOps, short for Development, Security, Operations, whereby you consistently test and learn through feedback loops as part of the development process.

The potential benefits related to IoT technologies are limitless; not only in terms of economic opportunity, but also improving the lives of real people and their communities. CA is committed to working with our government and industry partners to ensure that these technologies continue to flourish and that proper security safeguards are put in place from the start of the development process.

What thoughts do you have on ways to improve security in the IoT? I invite you to comment below.

About the author

As director of global government relations for CA Technologies, Jamie manages cyber security and Internet of Things policy. He also serves on the IT Sector Coordinating Council Executive Committee, the principal IT industry entity for coordinating with the federal government on critical infrastructure protection and cybersecurity. Jamie previously worked on the House Science Subcommittee on Research and Technology. Jamie has an MSc in social policy from LSE. He is also an avid Yankees fan.