The Internet of Things may be in its early stages, but the U.S. government has been gearing up to determine what the proper federal role should be for encouraging and regulating the use of IoT technology.

As stated in, The Positive and Negative Effects of IoT in Hospitality , “the number of connected devices will grow by two billion objects in 2006 to a projected 200 billion by 2020.” There needs to be some sort of regulation in place before there are more connected devices than humans in the world.

Two recent developments have underscored the government’s interest in IoT.

On the regulatory front, the Consumer Product Safety Commission launched an initiative to determine a framework for regulation related to IoT. The agency finished taking comments from businesses and IT providers last month which followed a public hearing this spring, where the interested parties aired their views on IoT regulation.

The second action was the recent introduction of the SMART IoT Act in the U.S. House of Representatives. The bill includes two major elements. First, it directs the U.S. Commerce Department to conduct a comprehensive study of virtually all aspects of the “Internet-connected devices industry” — also referenced in the bill as the “Internet of Things.”

Currently the Consumer Product Safety Commission (CPSC), the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), the National Telecommunications and Information Administration (NTIA), and the National Institute of Standards and Technology (NIST), among other federal entities, have embarked on some kind of IoT program.

The bill is designed to provide lawmakers with the appropriate background to shape federal policy regarding the IoT. The bill, H.R. 6032, is pending a vote by the full House.

Prepare for the Worst, Hope for the Best

The IT community should not be overly concerned that a robust federal regulatory regime is looming — at least not yet.

Taking a look at the CPSC actions for example, the agency specifically sought information on how IoT connected products might be hazardous to consumers and what actions the commision would have to take to protect the consumers. In addition to discussing consumer hazards, the hearing was meant to address the CPSC’s role in addressing said issues.

The CPSC appears to be more interested in exploring the impact IoT ‘could have’ than in contemplating any specific set of regulations on businesses or the IT community in specific.

“I think it’s appropriate for CPSC to take a look at the IoT and how cyberthreats can lead to product safety issues and [consider the] agency’s oversight function,” said Ari Schwartz, executive director of the Cybersecurity Coalition, which includes AT&T, Cisco, Microsoft and Symantec.

“Of course, we would favor the use of industry standards in any regulatory regime.”

E-Commerce Times

“Right now, it’s too early to tell what direction the CPSC will take. The agency has to determine how broad its scope will be,” Schwartz said.

“I think CPSC is currently in the exploratory phases as to its role with IoT. The agency is genuinely interested in just learning more about IoT and its impacts,” said Rachel Weintraub, general counsel for the Consumer Federation of America.

In its comments to the CPSC, the Cybersecurity Coalition stressed that safety and security standards for loT devices were inextricably linked and should be addressed in tandem, and that any standards should be set through a voluntary, consensus-based, and industry-led approach.

The wide array of IoT products and applications mitigate against any one-size-fits-all approach to standardization and regulation, the group contended.

A single standard “runs counter to where the industry is going,” Schwartz said at the CPSC hearing.

“While best practices and voluntary standards are helpful, they may not be adequate to protect consumers from the potential safety risks of using connected devices,” CFA’s Weintraub said at the hearing.

“The IoT raises questions about whether current product safety and product liability laws need to be rethought,” she noted, referencing a report from the Organization for Economic Cooperation and Development.

Mandatory vs. Voluntary

Mandatory standards have inherently enforced a stronger message, however the CPSC’s regulatory approach generally centers on the use of voluntary standards. This could go either way, but that issue aside, CFA strongly recommends two actions designed to get ahead of any formal regulatory scheme.

  1. Producers should strive to incorporate safety into the original design of any connected device or application
  2. Federal agencies who have stake in IoT regulation should determine jurisdictional scope, risk analysis, and an outcome-oriented approach to ensure nothing falls through the cracks and businesses are able to protect consumers from incidents like cyber-attacks.

The focus of the SMART IoT Act appears to be striking a balance between regulation and connected technologies development — with a tilt toward encouraging innovation.

Smart IoT Act – How Will This Affect IoT Innovators?

At the industry level, the SMART IoT Act “will help innovators and businesses know how entities are developing, using and promoting use of IoT solutions,” sponsor Latta noted.

The bill also will “highlight industry-based efforts to self-regulate and provide industry with a one-stop-shop for a compilation of industry-based standards — both ones already in effect and those currently being developed,” he said.

“While the SMART IoT Act can be helpful in describing federal efforts related to the technology, significant actions already are under way within and between agencies, and between agencies and the private sector,” the Cybersecurity Coalition’s Schwartz noted.

The Commerce Department itself has organized an internal Internet policy task force composed of NTIA, NIST, the U.S. Patent and Trademark Office, and the International Trade Administration to keep tabs on Internet commerce, including IoT.

It boils down to a checks and balances act; recent federal development clearly indicate that they are looking into ways to regulate IoT in order to protect consumers from hazardous incidents such as cyber-attacks, releasing of personal information, and the like but also continue to promote technological advances. It’s important to nurture innovation but also protect the ones who use it.