ITIF’s Castro: How Congress can fix 'internet of things' security

[Commentary] In the wake of recent cyberattacks, many policymakers are left wondering what, if anything, they can do to prevent future attacks and how they can make the burgeoning Internet of things more secure. Fortunately, there is a relatively simple step that Congress could take to jump-start cybersecurity in the fledgling internet of things: require companies to publish a security policy. Most companies today publish a privacy policy. The Federal Trade Commission (FTC), in particular, has actively monitored the privacy practices of the private sector and held companies accountable for adhering to their stated practices. The overall result is that companies in the United States have a significant degree of autonomy and flexibility in how they collect and use personal data, which has allowed innovation to flourish, but they still must answer both to their users and to government regulators.

As the Information Technology and Innovation Foundation (ITIF) has argued before, the United States, like most other countries, has a schizophrenic approach to cybersecurity that is broken and ineffective. The current policy emphasizes relative security over absolute security. Nations want to be able to hack in to the systems of their adversaries, but they do not want their own systems to be vulnerable. So rather than working together to improve global information security practices for everyone, nations spend billions to penetrate systems and horde zero-day vulnerabilities. This needs to change. But in the interim, there is at least one concrete step policymakers can take to begin to change the security practices of the private sector and help pave the way for a more secure Internet of things.

[Castro is vice president of the Information Technology and Innovation Foundation]