Why DHS Didn’t Need Its Own Internet of Things Guidance

Ariel Robinson is an independent analyst and freelance writer whose work on technology, security, and defense policy has appeared in National Defense Magazine, Wonk Report, Defense One and elsewhere.​

In late September, just ahead of National Cybersecurity Awareness Month, Department of Homeland Security Assistant Secretary for Cyber Policy Robert Silvers announced the agency is working on its own set of "unifying principles" to make the internet of things safe and secure.

"What we've come to recognize is that the internet of things is a full-blown phenomenon," he said, and everyone—industry, government and consumers—needs to "get serious" about building security into IoT. "And we need to do it now before we've deployed an entire ecosystem."

But DHS is late to the game, in terms of IoT industry and governance, and its duplicative efforts may have an adverse effect on overall security by confusing stakeholders with yet another list of best practices and policies. DHS should leverage its resources (and taxpayer funding) to drive awareness and adoption of existing frameworks, rather than reinvent the wheel.

First, a number of government agencies have already published policies, frameworks and guidance for the IoT industry and consumers. The Transportation Department released its Federal Automated Vehicles Policy just days before Silvers’ call to action. Other government organizations, too—including the Federal Trade Commission, the Food and Drug Administration and the Commerce Department—been working closely with IoT stakeholders across the public and private sectors for years to develop best practices and policies for governance.

But Silvers believes these existing frameworks “haven’t stuck,” as Chris Brook wrote for Threatpost.com, and that DHS “has a responsibility to coordinate its own principles.” This is odd, seeing as industry stakeholders across sectors—medical, home security, wearables and more—have lauded and embraced the work of two Commerce organizations in particular: the National Telecommunications and Information Administration and the National Institute of Standards and Technology.

Silvers said these organizations' work on IoT policy would factor into the framework of principles DHS is working on; however, when I asked NTIA officials if they were aware of DHS' plan, they declined to comment. (NIST could not be reached in time for this article.)

Companies and nonprofits have also been taking the lead in IoT security and privacy, without needing additional guidance from DHS. One example is Samsung, whose IoT vision and framework especially focuses on leveraging IoT “with a clear purpose: to deliver safer, more efficient, more sustainable societies with higher quality of life for all,” and recognizes that doing so will require open and collaborative approaches (as opposed to trying to take over the market).

Admittedly, this comes after some significant privacy and security failures in the past, but the company’s new approach is one of proactive stewardship, rather than compliance—something all information security (and privacy) professionals recognize is critical to maintaining safe systems. This is one of the key principles of the Online Trust Alliance, an organization whose work assessing the preventability of IoT security and privacy missteps I recently covered in Nextgov.

Silvers promised the DHS framework won’t be regulatory or prescriptive, or “even… highly technical.” But those types of frameworks exist already. In fact, there are private-sector companies, such as the North American Energy Reliability Corporation, that have even developed their own regulatory standards and certifications. Protecting the homeland against cyberattacks certainly falls within DHS’ purview, but that doesn’t mean the agency has to reinvent the wheel.

The last thing we need is another government agency throwing around more principles and practices, further obfuscating what is already a complex, crowded and rapidly evolving sector. DHS shouldn’t waste the last few months of this administration by duplicating efforts already undertaken by so many government, nonprofit, and for-profit stakeholders. Instead, it should focus on how to support these other institutions’ work, and focus on laying the groundwork for better cross-government coordination and collaboration in the next administration.