This article was co-authored by Bethany A. Corbin, an associate in Wiley Rein’s Telecom, Media & Technology (TMT), Health Care, and Privacy & Cybersecurity practices, and Megan L. Brown, a partner in the firm’s TMT and Privacy & Cybersecurity practices.

Like the poetic prose of Bob Dylan, the reality of modern technology cannot be ignored: “the times they are a-changin’.” [1] Transitioning from the novelty of the Internet, society is embracing connected technology as the new digital frontier. Dominated by the Internet of Things (“IoT”), the future will be one of increased interconnection of wireless and computing devices in everyday objects, allowing these devices to send and receive personal data. IoT’s limits appear boundless, extending from physical devices and home appliances to vehicles and medical implants. By 2020, the value of this industry is expected to reach $1.29 trillion. [2] However, as the United States enters this increasingly digitized era, cybersecurity is rapidly presenting itself as a major national security challenge.

Recognizing possible vulnerabilities associated with connected devices, policymakers have proposed regulatory solutions. Recent legislative drafts include the Warner/Gardner IoT Cybersecurity Improvement Act of 2017, [3] the Wicker/Costello IoT Consumer ALERT Act of 2017, and the Lieu/Markey Cyber Shield Act of 2017.[4] By proposing top-down regulation, these bills have the potential to stifle innovation and creativity in this developing industry. This article argues against hard and fast regulatory controls, and explains why a public-private stakeholder approach—like the one proposed in the Internet of Medical Things (“IoMT”) Resilience Partnership Act [5]—is crucial to cybersecurity and industry success.

Presented with new and complicated security threats, legislatures may naturally turn to regulatory solutions. To date, the majority of IoT legislative initiatives seek to impose regulatory controls on an industry that is still in its infancy. The Cyber Shield Act of 2017, for example, proposes labeling IoT devices that meet security standards and establishing a best-practices advisory committee to develop industry guidelines and standards. [6] Similarly, the IoT Cybersecurity Improvement Act seeks to ensure, through written certification, that connected devices purchased by the U.S. government have no known security vulnerabilities or defects, and would impose several new obligations on the sellers of such devices to the government. [7]

While these bills signify that lawmakers are taking an increasing interest in IoT security, the technology industry is a poor candidate for a top-down regulatory approach for at least three reasons. First, the time-consuming legislative process does not match the fast-paced progression of the technology sector. This mismatch results in obsolete benchmarks and guidance, and leaves newly developed cybersecurity risks unaddressed. For this model of federal bureaucracy and regulation to succeed, the rate of IoT innovation must slow considerably, which is unlikely.

Second, prescriptive and stringent regulations may stifle innovation in developing industries. IoT, while quickly growing, is still in its infancy and requires creative innovation to flourish. Imposing regulations on a newly developed industry risks driving innovation out of that sector due to heightened costs associated with regulatory compliance. Startup companies and tech giants may devote their resources to other industries if IoT becomes heavily regulated before its foundational framework has been constructed. In this manner, regulation may prematurely kill innovation and the IoT industry.

Third, there are limits to the government’s technical skill and knowledge to develop best practices for IoT cybersecurity. Industry actors are more intimately involved in network security efforts and are aggressively working to secure next-generation technologies. The private sector, therefore, is better positioned to develop network and cybersecurity standards to protect Internet services. Top-down regulatory efforts may inadvertently ignore the realities associated with properly securing IoT devices, in turn, making those devices unsafe.

Given these considerations, it is critical that the public and private sectors collaborate on cybersecurity. Public-private partnerships are necessary to ensure that the IoT industry develops securely without stifling innovation. Cybersecurity policy must emphasize proactive risk-management and avoid prescriptive regulation associated with top-down legislative proposals. Collaboration achieves these goals by integrating diverse perspectives and resources to develop creative cybersecurity solutions that can quickly adapt to technological change. Voluntary risk management can provide unparalleled insights into the challenges facing IoT developers, and may promote dialogue on improved security measures. In addition, collaboration guards against uncoordinated government efforts that interfere with network deployment and product development. Under the collaboration model, the government will continue to play a central role in cybersecurity by supporting a strategic solution that combines public and private resources.

The IoMT Resilience Partnership Act provides a framework for how such collaboration may be structured. Establishing a public-private partnership, the Act seeks to develop voluntary guidelines for preventing cyberattacks and increasing the resilience of networked medical devices. [8] The Food and Drug Administration, in consultation with the National Institute of Standards and Technology, will create a working group comprised of representatives from 6 agency/regulatory groups and 30 representatives from the private sector (3 representatives each from 10 different private sector categories). [9] The working group will identify security gaps and devise actionable solutions to prevent potential cyber-attacks as the IoT industry evolves. [10]

Leveraging the experience of both the public and private sectors, the IoMT Resilience Partnership Act capitalizes on each sector’s strengths to accomplish a mutually beneficial goal. The private sector, for example, controls critical infrastructure and networks that are vulnerable to medical cyberattacks. Industry organizations are intimately familiar with system operations, and private sector employees have expertise in responding to security threats. The government, on the other hand, is poised to handle the identification of cyber threats, and prosecution of criminals. Further, the government can promote workforce development of necessary competencies and advance consistent cybersecurity policies to the international community. Therefore, the IoMT Resilience Partnership Act allows the government and private sector to collaborate and develop workable standards that can be implemented without stifling innovation.

While the IoMT Resilience Partnership Act is one example of how public-private stakeholder collaboration can develop, it remains to be seen whether any of the cybersecurity bills will become law. The road to digital resilience and security is still being paved, but innovation should not be regulated out of fear. To address vulnerabilities associated with connected devices, it is crucial to leverage the public and private sectors to develop workable and time-sensitive solutions capable of matching the rapid evolution of the technology industry. To defend against security attacks and manage risk, collaboration is essential.

[1] Bob Dylan, The Times They Are a-Changin’ (Columbia 1964).

[2] Internet of Things Spending Forecast to Grow 17.9% in 2016 Led by Manufacturing, Transportation, and Utilities Investments, According to New IDC Spending Guide, IDC (Jan. 4, 2017); Natalie Gagliordi, IoT Spending to Top $1.29 Trillion by 2020, Says IDC, ZDNet (Jan. 4, 2017).

[3] IoT Cybersecurity Improvement Act of 2017, S. 1691, 115th Cong. (1st Sess. 2017).

[4] Cyber Shield Act of 2017, S. 2020, 115th Cong. (1st Sess. 2017).

[5] Internet of Medical Things Resilience Partnership Act of 2017, H.R. 3985, 115th Cong. (1st Sess. 2017).

[6] S. 2020, §§ 3, 4.

[7] S. 1691, § 3.

[8] H.R. 3985, § 2.

[9] Id.

[10] Id.