More Interindustry Cooperation, Standards, Security Use Needed for IoT, Say Issa, Industry Panelists

"When we're looking at these trillions of devices and we know there will be devices" that have failures like hacks, "how do we have a failure of one ... not be a failure of the system?" Issa asked. "The systems have to be built with the assumption that there will be a failure." On cybersecurity, "the government does not yet have answers and the private sector does not yet have a perfect answer," said the former consumer electronics executive.

Issa wants to "put everyone in this room in a room with their not-so-hidden agendas and say, 'What works ... for consumers,'" he said. "We have to unwind the past ... bad policy decisions" on things like spectrum allocation, he said.

Industry representatives said they're working to address challenges. Cable operators as service providers "feel a pretty hefty responsibility to do what we can to protect our customers," but not all players in all sectors feel that way, said CableLabs Vice President-Technology Policy Rob Alderfer. "It is a challenge" and one that "is up to industry to step up and provide the tools" to address security vulnerability issues, he said. Ligado doesn't "think that connectivity and security are mutually exclusive in any way," said Senior Vice President-Government Relations and Public Affairs Ashley Durmer. "Each layer of the stack essentially will require a kind of different look at what security requirements are necessary."

Cheap devices mass-produced by companies without relationships with customers aren't always up to security snuff, industry representatives said. "Cheaper can be a problem in the IoT space," and there can be a trade-off between inexpensive products and security, Alderfer said. He sought "developing standards and making it easy for new suppliers of IoT devices to build to those standards," and easier for consumers buying them. Verizon Vice President-Public Policy David Young said that "most of the tools are already available to produce a secure internet of things," such as encryption: "The problem is that not everyone knows that they are available or even chooses to use them. Even worse is there are some very basic best practices that are ignored," such as products using publicly available default passwords until they are changed by users.

Things linking to the IoT are "a whole lot easier for hackers to put viruses on, they tend to be unprotected, no one who has them, like me, is paying any serious attention to them," said Gerald Faulhaber, a former FCC chief economist and professor emeritus at the University of Pennsylvania's Wharton School. He cited two distributed denial of service attacks, including one against Dyn (see 1612080069). "These are new viruses, and the protection against them is very low," he said, urging including security considerations in product design, having automated security updates and strong authentication, among other recommendations in a CableLabs report. With hundreds of manufacturers, most not in the U.S., "they've got to be part of this story," Faulhaber said. Most consumers "don't even know they have a computer on these things" like a smart fridge, he said. "The real danger is not you're going to load something into your refrigerator" that could affect one's privacy, he said: "The real danger is someone is going to launch a DDoS attack" with it and "you don't even know it."

CTA members "take seriously concerns about the security of connected devices" and consumer privacy, a spokeswoman emailed us. "Industry can consider adopting a set of best practices for security, including developing voluntary testing and certification programs." The association of device makers and tech companies is working with members on programs including self-driving vehicles and smart home technology, the representative said. She also cited a white paper from the group on best practices for securing home systems and its DOJ partnership on an IoT devices security report.

TPI Notebook

Artificial intelligence needs added transparency and won't solve all technology and labor market issues, but holds promise, corporate and academic AI experts told the opening TPI panel Monday. Acknowledging a tight labor market and potential risks to employment, four researchers generally agreed AI has many upsides. Without more transparency in how such technology operates and updates itself, coupled with a recognition it's not flawless, progress could be stymied, the remarks indicated. "AI algorithms have their problems, too," as deep learning is exciting but "comes with a downside," said researcher Ece Kamar of the Microsoft Research Redmond's Adaptive Systems and Interaction group. She cited statistical techniques and learning from large amounts of data. "There is a big transparency problem between the AI algorithm" and stakeholders like users, said Kamar: "We need to do a lot of work to make that transparent" to have "trust between the human and the machine, so we can work together." AI is advanced enough that it could allow autonomous vehicles in controlled situations like freeways "right now, or even a decade ago," said Google Chief Economist Hal Varian, with one wrinkle: there couldn't be human drivers and pedestrians. The audience chuckled at that last point. Varian defended AI when it comes to the job market, saying "this cognitive assist is really a big deal, because it allows for on-the-job training," whether for taxi drivers or for more-skilled professions. An associate professor agreed, saying industry holds blame, too. "Media focuses on fascinating cases," said Diane Bailey of the University of Texas at Austin School of Information. "Tech companies put out a lot of rhetoric of their own."

EU and U.S. authorities are gearing up for next month's review to see if Privacy Shield is functioning well, acting FTC Chairman Maureen Ohlhausen and European Data Protection Supervisor Giovanni Buttarelli said at a TPI luncheon Q&A with Julie Brill, former Democratic FTC member, now at Microsoft. The FTC will participate in the review, which will examine the European-U.S. data transfer privacy pact's administration and enforcement, Ohlhausen said. The commission won't play a role in any review of national security and law enforcement aspects of Privacy Shield, the commissioner noted. "The FTC was an active enforcer under the privacy safe harbor, and we will continue to play that role with Privacy Shield, so stay tuned." Buttarelli said it's important how Obama administration assurances are being delivered on. The EU official sought a longer-term privacy framework: "There is a risk" associated with when "we export our data to other players in the world, and this is why I'm encouraging other countries, including the U.S., to recognize it is time for change," to "start thinking to a more robust perspective." Europe's general data protection regulation could include oversight of AI, in a way that doesn't harm its take up, Buttarelli said. GDPR takes effect in May. "We don't want to slow down innovation," and big data and AI have "a sort of bidirectional relationship," said Buttarelli: "Data protection should be digital. ... We should be flexible, dynamic" and "focus less on requirements and more on safeguards" to "make existing principles more effective in practice." Many more companies may be covered by GDPR than in the past, Brill noted. AI can include consumer protection and competition elements, Ohlhausen said: "I'm hopeful that at the FTC, we will be able to delve ... more into both sides of our mission" in looking into the technology.