Home / Blogs

IoT Developments: NIST Issues Tech Guidance while NTIA Seeks Broad Input, Global Efforts Percolate

Megan L. Brown

This article was co-authored by Megan L. Brown (a partner in Wiley Rein LLP's Telecom, Media & Technology and IoT practices) and Umair Javed, Christen B'anca Glenn, and Madeleine Lottenbach (associates in the firm's Telecom, Media & Technology and IoT practices).

As the federal government grapples with Internet-connected devices and applications that make up the Internet of Things (IoT), the National Institute of Standards and Technology (NIST) is forging ahead to provide "technical leadership" for "the operation, trustworthiness, and lifecycle of IoT" (NIST, Special Publication 800-183, Network of Things, July 2016). Such efforts complement — and contrast — recent policy efforts at the National Telecommunications and Information Administration (NTIA) and elsewhere to promote IoT innovation while addressing security, privacy, and interoperability. This federal activity will influence domestic policy and may be critical to shape international efforts that threaten global innovation.

NIST's Recent SP 800-53 Joins Efforts to Address IoT Design

NIST is a non-regulatory agency responsible for creating security guidelines for federal information technology. Through various components and partnerships, NIST provides technical guidance, increasingly with an eye toward private sector use. NIST has been at the forefront of data security, cybersecurity, and privacy. Its work is influential and included in security standards and procurement requirements. NIST has been looking at several aspects of IoT.

NIST recently released a publication providing a model to define IoT and its fundamentals, in hopes of creating more secure and reliable technology. According to NIST, the five basic building blocks of IoT technology, or "primitives," are: sensors, aggregators, communication channels, external utilities, and decision triggers. NIST seeks to provide researchers and developers a common language for resolving security challenges that arise in Internet-connected devices and networks. NIST discusses factors affecting security and reliability and the trade-offs of open and closed systems. After identifying the general model for IoT systems and determinants of reliability and security, NIST discusses potential challenges. For example, NIST identifies issues related to car speed sensors, and how wearable, transmitting health devices may depend on communication channel security.

This recent publication is just one of NIST's efforts on mobility and IoT. NIST has long looked at cyber-physical systems of all sorts, and has released guidelines addressing mobile device security and applications and information sharing architectures. While NIST's standards and guidelines are consensus-based and voluntary (for the private sector), they can be binding on federal agencies, are often used by state and local governments, and are incorporated in other federal and private standards, including procurement demands.

NTIA Is Forging Ahead on IoT Policy

While NIST addresses technical models and best practices, NTIA is active in IoT, championing multistakeholder processes. NTIA earlier this summer sought and received comments on the potential federal role in promoting IoT innovation, as well as whether and how privacy, security, and interoperability can best be addressed. NTIA also sought comment on what role, if any, the United Nations' International Telecommunication Union (ITU) should play in setting technical standards for IoT.

Last week, NTIA announced that it will convene an IoT multistakeholder process focused on cybersecurity and upgradability of IoT devices and applications. This multistakeholder process will attempt to create a set of definitions, descriptions, and guidelines about security patches and upgrades in order to promote greater transparency about the data that IoT devices and applications may collect. According to Angela Simpson, the Deputy Assistant Secretary for Communications and Information, the multistakeholder process could lead to standardized descriptions of security upgradability or a set of tools to better communicate security upgradability. NTIA plans to host the first meeting in early fall 2016.

Multistakeholder models are well-suited to the evolving nature of threats and responses in technically complex areas such as cybersecurity. Recognizing the benefits of collaboration over regulation, NTIA convened a cybersecurity vulnerabilities multistakeholder process in 2015 to understand vulnerabilities created by information technology systems in the digital economy, such as those associated with IoT, and to establish best practices and coordinate efforts regarding cybersecurity and information sharing. These efforts continue.

U.S. Developments Occur Amidst Global IoT Activity

These activities are taking place while global policymakers address IoT. There has been considerable controversy in recent years over what some perceive as "mission creep" by the ITU into IoT standardization activities. The ITU's standardization work primarily is carried out by technical study groups, and, in 2015, a new Study Group 20 was created to focus specifically on IoT and its applications. Some countries, including China, Russia, Saudi Arabia, and South Korea, now are positioning through SG20 to make the ITU the sole global registry for IoT addressing. Citing IoT privacy and security concerns, these countries seek to mandate the proprietary Digital Object Architecture (DOA) as the sole global IoT addressing system. The ITU currently has rights to that intellectual property.

These ITU activities can have far-reaching economic and social consequences, including for U.S. businesses. Although DOA is useful in many contexts, such as libraries, SG20 proposals seeking to "Recommend" DOA as the sole global IoT addressing system are inconsistent with principles of technology neutrality and threaten to supplant the important role of the technical community, other standards development organizations, and business and civil society in IoT standards development. If adopted, such action could place IoT addressing squarely under the control of intergovernmental organizations and governments.

Not surprisingly, the private sector has been almost unanimous in urging NTIA to ensure that IoT technical and interoperability standardization activities remain in voluntary, open-participation, globally recognized, and consensus-based bodies, and that outcomes at this early stage of IoT development are technically neutral. As IoT continues to mature, innovators should continue to urge federal experts and policymakers to reflect and promote the values of technical neutrality and regulatory humility at NIST, NTIA, and beyond.

Companies assessing IoT opportunities should heed these and other legal and policy developments as they develop products, services, and business partnerships.

By Megan L. Brown, Partner at Wiley Rein LLP

Related topics: Internet of Things, Networks, Policy & Regulation


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


While NIST Issues Tech Guidance and NTIA Seeks Broad Input, FCC Goes Its Own Way Bruce Levinson  –  Aug 11, 2016 8:49 AM PDT

The Internet of Things (IoT) includes cable television set-top boxes. The FCC in its rush to "unlock" these set-top boxes has gone its own way, however, on cyber security. Instead of integrating its efforts to secure future "unlocked" set-top boxes as part of the government's broad IoT efforts, the Commission is conducting its own IoT cyber security mini-proceeding as a part of its set-top box rulemaking, MB Docket No. 16-42. By going its own way on IoT security, the FCC is inviting the world's cyber criminals into America's living rooms. See, http://www.circleid.com/posts/20160420_is_fcc_inviting...

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

DNS Security

Sponsored by Afilias

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Michele Neylon Appointed Chair Elect of i2Coalition

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

2016 U.S. Election: An Internet Forecast

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic

Dyn Weighs In On Whois

Data Volumes and Network Stress to Be Top IoT Concerns

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Dyn Evolves Internet Performance Space with Launch of Internet Intelligence

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

5 Ways Google Brillo Can Change the Device Landscape

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Verisign iDefense 2015 Cyber-Threats and Trends