The Public Policies Needed to Make IoT a Reality



  • IoT is infiltrating every aspect of our lives, but the U.S. government hasn’t taken notice
  • Government regulation for IoT is a prerequisite for mitigating potential cyber attacks in our continually connected world

HPE’s Irena Bednarich on the legislation needed for a more connected world

Enterprise use of IoT has become a reality, but governments in the U.S. and Europe are still catching up to regulate the fledgling industry.

In the U.S., federal and state legislators aren’t known for being proactive about regulating technology. For instance, around 23 percent of Americans were already on the internet in 1996 when the federal government passed the U.S. Telecommunications Act. Today, history appears to be repeating itself; in the U.S., there is no major IoT regulation policy, in part because no one has figured out which agency should take the lead on regulation.

The EU seems to be further along. The European Commission is planning to introduce rules related to IoT data in November. The EC also adopted the Directive on security of network and information systems (NIS Directive) in July, which establishes minimum rules for cybersecurity, though it won’t go into effect right away.

“When you adopt a directive in Europe, it takes two years to install the legislation as local law,” said Irena Bednarich, director of corporate affairs for Continental Europe, the Middle East and Africa at Hewlett Packard Enterprise. Bednarich added that IoT adoption isn’t happening at the same rates everywhere. “We’re in various stages of adoption and maturity across Europe,” she said.

The regulations come as IoT is taking root. The possibility of a major accident because of IoT sabotage or failure could have a chilling effect on the technology. While sensors and internet connections can definitely help industries like manufacturing, autos and energy to run their operations more efficiently, there is also potential for cyber attacks.

  • If you look at the economic potential of IoT, it would be like another Industrial Revolution.

“Certainly security is on everybody’s minds,” said Bednarich, “however, I would say if you look at the economic potential that IoT could generate—it would be like another Industrial Revolution.”

Potential dangers

Such potential dangers have come to the forefront over the past couple of years as high-profile hacks of the Democratic National Committee, the federal Office of Personnel Management and CIA Director John Brennan, among others, have fostered the belief that no one is safe.

On the IoT front, WIRED was able to demonstrate the risks of internet-enhanced vehicles by enlisting two hackers to remotely commandeer a Jeep Cherokee, leading to a recall of 1.4 million vehicles. Hackers also demonstrated that they could remotely hack smart meters to cause blackouts. Assessing the landscape, healthcare also looks like an especially vulnerable target.

Bednarich said the situation in Europe is even more complicated than in the U.S. “We need to establish a network among those national NIS authorities that they will actually share cybersecurity threats,” she said. “You are as strong as your weakest link and this is what has caused a very tough debate in the adoption of cybersecurity legislation.”

Government action

For its part, the U.S. Senate began grappling with the issue of IoT regulation last year. The Senate Committee on Commerce, Science and Transportation held a hearing in February 2015 that looked into the issue.

Last month, the House of Representatives also jumped into the fray with a resolution looking to “prioritize accelerating the development and deployment of the Internet of Things in a way that recognizes its benefits, allows for future innovation and responsibly protects against misuse.”

In January 2015, the Federal Trade Commission issued a report that offered best practices for IoT security. These included: training employees about the importance of security, building security into the devices from the outset and carrying a “defense-in-depth” strategy that employs several layers of security. However, according to FTC Commissioner Terrell McSweeny, the organization is likely to serve as more of an “enforcement agency” when it comes to IoT, rather than being the one to build the regulations.

Part of the reason for the government’s inaction so far is that IoT’s major impact has yet to be felt. IDC expects the global IoT market to more than double from $655.8 billion in 2014 to $1.7 trillion in 2020.

The other reason is that it’s not clear which branch of government should regulate IoT. As NextGov notes, agencies including the Food and Drug Administration, the Federal Communications Commission, the National Highway Traffic Security Administration and the FTC “have some authority over some aspects of the Internet of Things.”

Bednarich added that legislation on IoT infrastructure and connectivity is the most important. “If you don’t have IT infrastructure where you can run IoT, there will be no IoT economy,” she said.

Drone model

One possible template about how the government might approach IoT is in its approach to drones. In August, the of 55 lbs. or less to fly up to 400 feet high and 100 mph during daylight hours. That ruling came after many businesses had ignored the ban on drones.

Lacking government regulation, the same pattern might hold for industrial IoT. While businesses will likely take a cautious approach that’s well aware of the possible dangers of IoT, having agreed upon regulations could open up more opportunities for this powerful technology trend.