The NTIA’s multistakeholder process on Internet of Things (IoT) and cybersecurity is apparently beginning to bear fruit. At this week’s virtual meeting, a draft document, “Communicating IoT Device Security Update Capability to Improve Transparency for Consumers”, was determined to be “consensus” output. In this post, we briefly review the process to date and offer some analysis from a governance perspective.
As part of a larger Digital Economy initiative, the Department of Commerce issued its April 2016 Request for Comment, “The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things.” In it, the Department sought to review the current technological and policy landscape relating to IoT. Almost 140 US-based stakeholders – from the private sector, government, civil society, and academia (including a comment from GT PhD student Karim Farhat) – responded to the request. In September 2016, the Department hosted a workshop to explore questions raised by the Request for Comment and issues raised in the public comments. In January 2017, the Department issued a green paper summarizing the inputs so far.
Among the issues identified, IoT security upgradability and patching was one chief concern. In response, a “multistakeholder process” was convened by NTIA and a handful of working groups formed with “the ultimate objective [being] to foster a market offering more devices and systems that support security upgrades through increased consumer awareness and understanding.” The goal of this process was “to develop a broad, shared definition or set of definitions around security upgradability for consumer IoT, as well as strategies for communicating the security features of IoT devices to consumers.” This week’s meeting provided an update on the progress of the working groups.
On one hand, NTIA’s process to date has been a refreshing approach, one contrary to those advocating for traditional government regulation of IoT (e.g., Schneier). NTIA continues to bolster its track record of supporting multistakeholder governance. However, after attending a recent virtual meeting, we think the process could benefit from some further enhancements. More fundamentally, the process raises more general questions about IoT governance.
What are the rules of the game?
Multistakeholder governance needs rules. The NTIA’s process has maintained the usual transparency and openness of regulated government consultations. However, while working groups (as opposed to a regulator) authored outputs based on stakeholder input, it was not clear what was the definition of achieving consensus. In the end it seemed that, if there were no objection from the almost silent crowd in the room, a document was approved. This is a shortcoming that NTIA can overcome by looking at multistakeholder Internet governance organizations that have elaborate collaboration practices and developed rules on decision making. For instance, working groups at organizations like ICANN have a mandate, a charter and a set of principles which they use to make decisions.
Who and how will outputs be adopted?
There is a working group dedicated to the adoption of any process outcomes. However, the working group (at least at this stage) is only discussing adoption of recommendations. The adoption working group at NTIA asserts that: “This purpose of this paper is to initiate a dialog among IoT producers, government and industry policy makers, researchers, and civil society advocates while avoiding prescriptive recommendations or best-practice guidance.” That is about as noncommittal as it gets. The nonbinding nature of the outcome makes the discussions go more smoothly and consensus can be reached more easily. But when the recommendation cannot be enforced it might not be as effective. In some regards, the NTIA process is similar to groups convened at Internet Governance Forum. Collegial, not that controversial, and ignored by many. Its output could also be compared to IETF best practice or informational RFCs.
Is it the right governance structure?
Governance structures provide the framework in which actors discuss, negotiate and enforce agreements and outcomes. They are typically categorized into hierarchies, networks and markets. In theory, well-designed governance structures reduce transaction costs and enable parties to cooperate with each other in mutually beneficial ways. This aspect can explain why any given area produces a specific distribution of organizations along the market-hierarchy spectrum. NTIA’s process appears to be a hybrid hierarchical-networked governance structure. Much like it initiated efforts around trusted digital identity or the IANA transition, the Department is using its domestic authority to initiate a process to convene stakeholders in a “semipermanent, voluntary negotiation system…[that] allows interdependent actors to opt for collaboration.”
It does not seem that transaction costs have been considered thoroughly. On one hand, the consensus document does recommend very simplified guidelines on basic IoT update information that manufacturers should provide to consumers. It is presumably information that manufacturers don’t provide today. Uniform guidelines on what information is necessary to provide could lower costs for manufacturers. It also seems this could lower consumer transaction costs, helping them make better purchasing decisions and potentially improve IoT security overall. However, this doesn’t prove that NTIA is the appropriate governance structure. Consumers transaction costs will go up as consumers need to spend time and understand informational material. It may not improve security because a consumer that is buying a simple toaster won’t sit down and read about how the device is secured (similar to how consumers ignore online terms of service). If it’s a washing machine or something more expensive, perhaps. Fortunately, there is another working group exploring and developing recommendations on “incentives, barriers and adoption,” an area where probably much more work needs to occur. It may be there are other governance structures already at work around IoT, and more broadly cybersecurity, something we explore in some forthcoming work.