In response to news that the US Federal Trade Commission (FTC) is pressing for IoT device security (link to FTC public notice), including the ability to enforce Internet safety and consumer security standards, and has opened public comments on the proposed mandate, an expert with Corero Network Security commented below.
Andrew Lloyd, President at Corero Network Security:
“The suggestion that the Consumer Product Safety Commission (CPSC) simply requires manufacturers to disclose the cyber-safety of their products and then let the consumer decide is not going to solve the problem.
“There are very few examples where the consumer has opted to pay more for safety or security. When you buy an automobile, the law requires that it comes with belts and air-bags. Almost none of us asks how good they are and we don’t find out until we need them to protect us from harm. The reason for this is that the authorities have devised certificated standards that provide safety assurance. Governments everywhere need to ensure that their citizens are protected by adequate cyber-safety standards. If a product does not meet those reasonable standards then it should not be for sale.
“Of course, to an extent the genie is already well out of the bottle with many millions of IoT devices already in the wild with little or inadequate security. That does not mean that we can’t do anything about it. Very clearly, it is time that IoT security flaws are corrected. In time, older devices will fail, be discarded or be upgraded. We can also place defense capabilities within our networks, such as real-time automated DDoS protection, to minimize the impact of compromised IoT devices.
The FTC’s move comes in follow up to a hearing by the US Consumer Product Safety Commission (CPSC) in mid-May on device security, in response to concerns such as hackable IoT devices such as baby monitors.”