FCC Threatens IoT Industry With Mandatory Cybersecurity Testing
The FCC has warned private industry to clean up their act, or it will do it for them.
2016 was not without its fair share of major cyber attacks. Fortunately, the government is looking to address this growing concern.
In one of the last FCC rulings under the Obama Administration, the FCC has issued a stern warning to private industry involved in the Internet of Things (IoT), saying basically, “Clean up your act or we will be forced to step in.”
The warning notes that the government will force commercial companies to institute protective procedures if action is not taken.
The FCC’s Cybersecurity Risk Reduction White Paper, which was issued on January 18, 2017, expresses serious concerns about the “burgeoning and insecure IoT market [that] exacerbates cybersecurity investment shortfalls [because] the private sector may not have sufficient incentives to invest in cybersecurity beyond their own corporate interests.”
Noting that insecure wireless devices have shut down service to millions of users by attacking critical control utilities that are not FCC-regulated, the FCC is advocating “cyber accountability” – a combination of market-based incentives and regulatory oversight – to reduce cyber risk in the communications sector.
Security by Design
Certainly, the FCC is most worried about communications carriers, including Internet service providers primarily. But the IoT world, namely device manufacturers and vendors, would bear a large portion of responsibility.
The FCC proposes that IoT equipment suppliers should implement “security by design” practices to build cybersecurity into their products before marketing them. As defined by the FCC, security by design is “a practice of continuous testing, authentication safeguards, and adherence to best [cybersecurity] practices.”
The FCC hints that regulatory oversight of this process will likely be required, in part because of the “large and diverse numbers of IoT vendors – who are driven by competition to keep prices low – hinders coordinated efforts to build security by design into the IoT on a voluntary basis.”
Accordingly, the FCC states that, among other things, changes to its equipment certification rules may be necessary to protect networks from IoT device security risks.
The last sentence of the report says it all: “The Commission’s preference is to work collaboratively with industry using private/public partnerships. However, if market forces do not result in a tolerable risk outcome, the Commission has tools available to make adjustments to restore the balance.”
This warning is like a pre-9/11 document about Osama bin Laden. It should not be ignored, especially if it means there is a potential “9/11-like” cyber attack coming. The Consumer Technology Association (CTA) and other associations should immediately be engaged with the vendor community on this looming regulatory issue.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!