As the Internet of Things continues to grow and expand, the fact that guidance on security measures and protections is a necessity has become increasingly evident. Recently, the National Institute of Standards and Technology (NIST) released a lengthy set of IoT guidelines, known as NIST Special Publication 800-160. NIST unveiled the nearly 260-page publication at the Splunk GovSummit 2016 conference. The announcement came on the heels of the Dyn attack in late October, which further highlighted the immediate need for standards and guidance.
The strictly voluntary guidelines work to address questions and concerns about protections for devices connected to the internet. It is estimated that there are currently approximately 7 billion things connected to the Internet, but experts expect that number to triple by 2020. NIST described IoT as a “powerful and complex” system which is “inexorably linked to [our] economic and national security interests.”
Given the enormous nature of this ever-growing sector of the digital world, it must be in the forefront of cyber-security discussions. IoT not only must be actually secure, but users must have a sense of trustworthiness in the security and protections. One drafter said that users must have the same confidence in the security of IoT as they do the safety of a bridge they cross or an airplane they board. However, not only do policies and protections need to build up users’ confidences, but they need to simultaneously degrade the confidence that cyber-criminals have in their own abilities and operations.
NIST expressly stated in Special Publication 800-160 that its objective is to “address security issues” and “to use established engineering processes to ensure that needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner.”
As is the case behind most cyber-security policies, NIST is striving to limit the damage of inevitable, successful breaches. It recognizes that preventing breaches or attacks is not a realistic goal. Therefore, the drafters focused on emphasizing that necessary protections must be incorporated at the design stage and built into devices rather than being an afterthought, analogous to an airbag being built into the dashboard of a car. The protections also must be capable of keeping the device secure throughout its life-cycle.
Although the guidelines are voluntary, they should spawn valuable conversation and discussion. In order for the guidelines to have the desired effect, industry, government, and academia must all join forces to promote their benefits and vouch for their necessity.
Lawyers can use the guidelines to facilitate conversations with clients about cybersecurity measures. The guidelines can be presented to boards of directors and executives and positioned as a detailed overview of what must be done to implement security measures. Because the guidelines are government-backed and have been approved by the federal government, they can also be a tool used to get the support, including the financial support, necessary to implement security measures. They can also be used as a reference point when evaluating cyber insurance policies, as underwriters can refer to them during the underwriting process.
Lawyers should also caution clients that there will likely be regulators and litigants who point to the guidelines when attempting to impose liability on device manufacturers following a breach. Failure to follow the standards, it will be argued, is evidence of negligence or lackadaisical security. Whether the guidelines will create a standard of care remains to be seen, but they should certainly become part of the conversation as the IoT – with all of its inherent risks – continues to expand.
For a copy of the guidelines, follow this link: NIST Guidelines