September 19, 2017


Future growth predictions for the IoT are staggering. At this inflection point, regulatory philosophy will impact the pace and path of innovation. With a truly global market for the IoT, national boundaries and policy differences threaten to create barriers and walled gardens and distort markets. Governments should support international standards work that harmonizes varied approaches to regulating technology.

Governments are in a difficult position given the complexity and fast changing cyber threat landscape and traditional regulatory responses are inadequate to keep pace with the evolution and economic growth potential of the IoT.

Consumers may not be prepared for their roles in our digital future, in which individual actions can affect communities and enterprises around the world. Basic cyber hygiene education should be prioritized by governments, businesses, and consumers.

Similarly, increased attention is being paid to hardening endpoint security. Here, manufacturers and vendors are leveraging existing industry-developed best practices. They should be encouraged and incentivized to pursue security by design.

Recent cyberattacks like WannaCry, Petya, and Mirai illustrate why a combination of end user education and endpoint security is important. WannaCry and Petya victims used unsupported and unpatched versions of legacy operating systems, which is a lesson in the importance of upgrading and patching devices. Likewise, the Mirai botnet depended on wide-spread use of a common set of credentials, which speaks to use of hardcoded passwords. Governments should proactively collaborate with industry to identify and facilitate voluntary use of best practices.

Given how diffuse and ubiquitous the IoT is, the global effort to enhance security, privacy, and trust requires input from public and private stakeholders. Governments should establish international multi-stakeholder forums for discussion and education about security and privacy regulations, and trust enhancing certification and labeling frameworks.

The IoT is incredibly complex and there is no one-size-fits-all solution to cybersecurity. But the business community looks forward to working with governments to collaboratively create policies that enhance privacy, security, and trust in the IoT based on global, voluntary, consensus, and industry-driven standards.

Ten Key Principles for IoT Security

When it comes to security, attempts to regulate today will become outdated tomorrow. Flexible approaches to collaboration and cooperation to combat shared threats have significant advantages over national regulation which serves to fragment the global economy and lags behind technological innovation.

  1. Any approach to IoT security should be data-driven, based on empirical evidence of a specific harm, and be adaptable both overtime and cross-border.
  2. Security demands should never be used as industrial policy to advance protectionism or favor national economic interests.
  3. National boundaries need not become arbitrary obstacles to the movement of devices or data, or to the offering of IoT-related services.
  4. Global standards work is the best way to promote common approaches and technology solutions. Such standards should be open, transparent, and technology-neutral. 
  5. Any government IoT strategy should promote technical compatibility and interoperability to the maximum extent possible.
  6. Everybody is vulnerable, cyber threats must be met with global informationsharing and collaboration to improve and safeguard the IoT ecosystem.
  7. End users need to be educated about their roles and responsibilities in this digital age.
  8. Manufacturers and vendors should be encouraged to routinely evaluate and improve endpoint security.
  9. The international community must collectively condemn criminal activities that infect and exploit the openness and connectivity of the internet and our digital future.
  10. Governments must work together to shut down illegal activities and bring bad actors to justice.