Proposals to Secure IoT Concern High-Tech and Telecom Sectors

There is no question that greater consumer understanding of the security precautions that go into internet of things (IoT) technology is an important step. But high-tech and telecommunications companies commenting on the FCC’s recent Notice of Proposed Rulemaking on voluntary cybersecurity labeling of IoT devices are raising concerns about complexity and cost. Some also question the Commission’s jurisdiction in the area.

IoT has become a part of everyday life in America. At one time, it was fanciful to think that small, automated wireless devices would dominate online activity over humans. But today, physical security systems, transportation systems, medical monitoring, and several online systems rely on IoT. Rural America is benefiting from precision agriculture systems with IoT sensors, monitors and other devices. One study estimates there will be 25 billion IoT devices in operation worldwide by 2030. But the cybersecurity information to consumers about these devices is not always available or easy to understand.

Federal agencies in recent years, at White House prompting, have been working with the private sector to develop labeling for IoT devices and software systems. The National Institute of Standards and Technology (NIST) released criteria for labeling IoT consumer devices in February 2022. The FCC is taking the task a bit further.

“We believe that our proposals for a voluntary labeling program building on the efforts of NIST and others … represent the most appropriate, and targeted approach to IoT cybersecurity labeling,” the FCC said in the NPRM.

“A widely used and well-designed security labeling program can help to foster market competition in product security, which can strengthen the resilience of the broader digital ecosystem,” said the Cybersecurity Coalition, a group of high-tech companies that includes Google, Microsoft, Cisco, Intel and several others. But the coalition worries that the Commission’s proposed labeling might not get wide acceptance. “The proposed rule envisions a labeling system that is overly complex, unwieldy, costly, and untested, and this risks suppressing adoption of the label,” the group said in recent comments.

The group particularly questioned the need to develop new standards, reveal product assessments and a centralized registry. Instead, it called for a more “basic labeling program.”

NTCA – The Rural Broadband Association, questioned whether the Commission’s Communications Act authority to regulate devices that could cause radio interference gives it additional authority to develop cybersecurity standards for IoT devices. “The promulgation of IoT standards that conceivably affect markets in which the Commission does not currently engage raises bracing questions about the extent to which even voluntary standards might reach,” NTCA said.

The labeling debate is taking place as the FCC is preparing to adopt a rulemaking to restore Title II restrictions to internet communications during its Oct. 19 meeting. It is unclear whether Title II expansion would extend authority to regulate IoT. “NTCA submits that any Commission action must contain a clear commitment that voluntary standards will not become de facto regulations by bootstrapping them to existing obligations or other rules,” the association said.

USTelecom supports the FCC’s labeling proposals and in the past participated in the NIST IoT device labeling programs. But it shared NTCA’s concern about Commission authority under the Communications Act. “Interference is the direct, physical product of RF energy, and it is unrelated to the general, far-ranging cybersecurity concerns the Commission is confronting in this proceeding,” it said, suggesting that other federal agencies do have jurisdiction over IoT devices.