Experts want clarity among potential IoT regulations

A new report from the Government Accountability Office that lays out the security risks, possible economic ramifications and other implications of IoT.
(Getty Images)

In an increasingly complex Internet of Things ecosystem, experts are calling for a consistent national strategy.

The biggest need, said Josh New, policy analyst at the Information Technology and Innovation Foundation’s Center for Data Innovation, is “regulatory clarity.”

“Agencies need to all be talking to each other to make sure they’re not implementing conflicting standards or conflicting frameworks,” New told FedScoop. “We want their frameworks to be very supportive of driving induction growth we basically want a minimal regulatory environment, one the doesn’t prevent good things from happening by only focussing on potential, hypothetical harms.”

New’s comments come on the heels of a new report from the Government Accountability Office that lays out the security risks, possible economic ramifications and other implications of IoT to inform members of the federal government, specifically Congress, so they might have the knowledge to create such a strategy.


“We prepared this report in order to inform Congress on IoT, what it is, how it works and some of the considerations and implications of IoT,” said Greg Wilshusen, one of the report’s authors and director of information security issues at the GAO.

Some experts say a national, overarching philosophy on IoT is necessary not only to ensure the freedom to innovate for private businesses but also to protect the security of consumers’ information.

“Government has a lot of work to do to ensure US leadership in IoT, which is not a given at this point. As we lay out, there are many policy areas that will impact IoT, but the Commerce Department and NTIA have significant expertise to lead the government’s work on developing a cohesive approach to promoting and enabling these new technologies,” said Vince Jesaitis, vice president of government affairs at the IT Industry Council said in a comment to the Department of Commerce earlier this year.

But because so much of IoT is cross-sectional, agencies may have conflicting standards and regulations regarding the same aspects of the technologies involved.

“At present, within the federal government at least, there isn’t any single agency that has responsibility overall for IoT monitoring, management or regulation,” Wilshusen said. “A number of different agencies have roles in that as it relates to specific sectors or functions with that, and that is the purview of those individual agencies.”


To date, one of the most significant congressional efforts in creating a unified strategy surrounding IoT was the creation of the DIGIT Act, which was originally introduced in 2016.

“The introduction of the DIGIT Act would go a long way to direct federal agencies to reconsider the role of government, and begin taking steps to what we we believe would be the basis for this national strategy,” said New. “It has to do with addressing cybersecurity concerns, it has to do with addressing spectrum concerns, it has to do with addressing regulatory framework, whether it’s a patchwork, whether there’s a lack of clarity, whether there are conflicting rules”

The bill didn’t pass initially but was reintroduced in early 2017, giving legislators another opportunity to convene around IoT standards, particularly after the spread of the Mirai botnet, which targets internet-connected devices via a distributed denial-of-service attack.

But even in the aftermath of the Mirai attack, businesses are wary of government regulating IoT.

“We cannot regulate our way to cybersecurity,” Matt Eggers, executive director for cybersecurity policy at the U.S. Chamber of Commerce, said in October. “There’s a tendency for policymakers to try to run before they can walk in this [technology] space.”

Latest Podcasts