New IoT Security, Privacy Guidelines (BITAG – Google,Verizon, Comcast, TimeWarner, etc.)

New recommendations for IoT security, interoperability and policy were just issued by the Broadband Internet Technical Advisory Group (BITAG), which was founded in 2010 by Google, Intel, Microsoft, Verizon, Comcast, Time Warner Cable and other tech industry giants. Specific guidelines address security & cryptography best practices; restrictive vs. permissive communication; disruption and cloud back-end failure continuity requirements; addressing, naming and privacy; supply chain responsibilities, and other key issues. IT security experts from Rubicon Labs and  Synopsys Software Integrity Group commented below. 

Rod Schultz, VP of Product at Rubicon Labs:

“These recommendations by BITAG are comprehensive and insightful, but proposed recommendations that don’t have a carrot or a stick to drive incentives or dis-incentivize are pretty ineffective. The BITAG group has a lot to lose by poor IoT security, and must find a way to make what they recommend simple, easy to implement, and enforceable. The challenge is that the power of the IoT is rapidly being realized and so far, its velocity is not impacted by security. It is trivial to connect a device to a network but incredibly difficult to do it securely.

“A Hammurabi’s code for IoT security needs to come with consequences, and unfortunately these recommendations may simply go down in history as aspirational dreams.”

Mike Ahmadi, CISSP, Global Director, Critical Systems Security at Synopsys Software Integrity Group:

“While I certainly applaud efforts to set guidelines for addressing security in IoT devices, I remain concerned by a complete lack of baseline verification and validation of Cybersecurity. The mere presence of guidelines does not mean practices are followed. In industries where safety is a concern, validation and verification standards exist and must be followed, with some requiring certification. As IoT security issues continue to grow, this can impact consumer safety, so it is important to consider a program like the UL Cybersecurity Assurance Program as a way to verify and validate that baseline practices are being followed, allowing consumers to make a more informed choice.”