FTC and DoT: how do you regulate a potentially dangerous emerging market?

Recent comments from the US Federal Trade Commission (FTC) and Department of Transport (DoT), regarding their role in regulating IoT devices and development, have caught Riot’s eye – against the backdrop of ongoing IoT security debacles. Both are illustrative of the complexities of trying to govern as gargantuan an entity as the IoT, and an exploration of the topic is needed.

The US Transportation Secretary, Elaine Chao, has said that the DoT that she heads-up is reviewing the self-driving vehicle guidelines that were passed in the last months of the Obama administration. Speaking at the National Governors Association, Chao also called for automakers to better explain the benefits of the technology to a potentially skeptical public.

Those guidelines called for the submission of plans and data to the DoT, as well as to the state-level regulators and institutions, as well as a call for the states to adhere to federal policy, rather than going their own way – and creating a patchwork of rules. Notably, the automakers were largely against the new requirements, due to the demand for data – which they view as sensitive material. Unsurprisingly, Trump has been called on by the automakers to examine the rules.

In her speech, Chao said that the Trump administration wanted the federal guidelines “to be a catalyst for safe, efficient technologies, not an impediment. I want to challenge Silicon Valley, Detroit, and all other auto industry hubs to step up and help educate a skeptical public about the benefits of automated technology.” Chao added that the government was also very concerned about the impact of automation on the labor market.

Also speaking in public was Maureen Ohlhausen, the acting chair of the FTC, who told British newspaper The Guardian that the FTC “is not primarily a regulator,” and said that it was taking a wait-and-see approach to IoT law enforcement, on stage at a Nasdaq cybersecurity conference. When asked whether there should be mandatory regulations, Ohlhausen said that the FTC hasn’t taken a position on the matter.

Speaking to the conference, Ohlhausen said “we’re saying not ‘let’s speculate about harm five-years out,’ but ‘is there something happening that harms consumers right now, or is likely to cause harm to consumers.’ We don’t know if that risk will materialize. It may well materialize, but a solution may materialize at the same time.”

Given the Mirai attacks and the webcam-powered Dyn DNS outage, many would see the FTC’s stance as being shortsighted – in that there is already a pretty clear picture of the shape of things to come, and that deciding to sit back is actively harming both consumers and businesses. However, there’s also the argument that a heavy-handed government approach could stifle the IoT in its formative early days.

So what should the role of a government be when it comes to the IoT? As hands-off as possible, letting the market self-regulate, or quick to lay ground-rules, knowing that the IoT will soon be a national concern – with both huge potential for good and inherent security and safety risks?

Well either extreme has problems, and a middle-ground approach won’t appease every stakeholder. One of the main problems that governments will face is that the IoT is too pervasive for one division to properly oversee. Using the US as an example, while it makes sense to have the FCC regulate the wireless spectrum and the DoT to manage vehicular concerns, the IoT brings these two (previously rather distinct) ecosystems together – and so the regulators begin crossing paths.

Of course, that’s a relationship that could be managed fairly easily, although politicking always threatens to throw a bucket of spanners in the works, in such instances. Lobbying is another problem, and something that the larger enterprises and industries are going to be playing close attention to.

After all, an enterprise that is in the business of selling IoT products or services will be looking for stability in a regulatory environment – and if the regulators can be persuaded of the enterprise’s thinking, then such an outcome would be even more beneficial. In deployments with long life-expectancies, an enterprise or operator would want to know that their choice isn’t going to be legislated out of existence before its ROI.

Which is why the FTC’s ambiguity is causing consternation in the wider IoT industry, and why the news that the Trump administration is revisiting the autonomous driving regulations passed at the end of the Obama administration is troubling for anyone thinking of entering the self-driving R&D arena.

A cynic would assume that in the current political climate of point-scoring, the DoT may pass rules that favor the established automotive giants, rather than the disruptive technology companies that have been ramping up the pressure on the likes of Ford and GM, such as Tesla and Alphabet.

While a hands-off approach is certainly still on the cards, heavy-handed regulation or disruptive rule-changes in formative early-stage industries and areas will have detrimental impacts.

On the consumer side of things, we’re still waiting for the first IoT murder though, suggesting that the tabloid fears of serial killers unlocking smart homes or remotely cutting brake-lines have yet to become happenstance. Such a story would run rampant, so we’re pretty sure we’d have heard of it by now.

Similarly, in our post-Snowden world, consumer apathy over state surveillance of their internet habits seems to be at a record low, suggesting that many consumers aren’t going to care all that much if their IoT gadgets begin leaking personal data – at least until they run into a real-world consequence.

As for enterprises, if there’s no pressure from legislators via their voters, then it seems unlikely that the consumer sphere is going to exert much of an influence on them. However, the nation-state security concerns are very real, and certainly the more pressing concern for operators and enterprises.

There are plenty of examples of insecure IoT devices causing far-reaching problems – with the poor state of IoT security becoming an ongoing gag, that has become less and less funny over time as problems like Mirai have raised their heads. These types of internet attacks prove frustrating when they are aimed at things like Netflix or Facebook, but they could eventually prove life-threatening if they are turned onto critical state infrastructure.

Hospitals, power stations, mass transit, road traffic management – all examples of applications that could be brought to their knees by a targeted attack exploiting IoT security vulnerabilities – and until such an attack occurs, it’s hard to see where the incentive for governments to regulate IoT stakeholders to ensure that such attacks couldn’t be launched will come from.