VIA EMAIL: cpsc-os@cpsc.gov
Office of the Secretary
Consumer Product Safety Commission
4330 East-West Highway
Bethesda, MD 20814
The Cybersecurity Coalition (“Coalition”) submits this comment in response to the Request for Comments (“RFC”) issued by the Consumer Product Safety Commission (“CPSC”) on March 27, 2018. The Coalition also requests that it be permitted to make an oral presentation at the CPSC’s public hearing on the Internet of Things (“IoT”) and consumer product hazards to be held on May 16, 2018. The text of this comment will serve as the basis of the Coalition’s oral presentation.
The Coalition is comprised of leading companies with a specialty in cybersecurity products and services dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies.1 We seek to ensure a robust marketplace that will encourage companies of all sizes to take steps to improve their cybersecurity risk management, and we are supportive of efforts to identify and promote the adoption of cybersecurity best practices and voluntary standards throughout the global community.
The Coalition appreciates the opportunity to provide these comments and participate in this important discussion. The Coalition supports the development of safety standards for IoT devices using a voluntary, consensus-based, industry-led approach. Such an approach would be consistent with the requirements of the National Technology Transfer and Advancement Act and OMB Circular A-119, which direct federal agencies to participate in standard-setting bodies and adopt voluntary consensus standards when possible. The Coalition encourages CPSC to work closely with the cybersecurity community, including the National Institute of Standards and Technology (“NIST”), the National Telecommunications and Information Administration (“NTIA”), and a number of standards setting organizations, such as the International
Organization of Standardization (“ISO”) and SAE International, as there is likely to be significant overlap between existing cybersecurity standards for IoT devices and safety standards for these devices. These organizations also have substantial experience in areas that the CPSC identified in the RFC as being particularly important to the safety of IoT devices; namely the implementation of secure product development practices and strong security measures to defend against malicious attacks. Engaging with these organizations and with industry participants is likely to result in better safety standards that protect consumers without slowing the growth and development of the IoT market.
The Coalition believes that safety and security standards for IoT devices are inextricably linked and should be addressed in tandem. A common feature across all IoT devices is their ability to communicate across information networks and to act on the physical world, which makes securing these communications and controlling access to device functionality central to maintaining both the safety and security of the device. For example, shipping an IoT device to consumers using default passwords or with known vulnerabilities presents both a security risk, as this could give attackers access to consumers’ information, and a safety risk if attackers are able to gain control of device functionality. Similarly, the same security measures that protect IoT devices against attacks aimed at taking information from the devices also protect users of these devices against attackers who seek to gain control of a device to manipulate the device’s functionality to create a hazardous situation.
The Coalition’s membership has been at the forefront of the standards development process for decades, working with government agencies, standards development organizations, and industry groups to identify and promote best practices and robust standards in cybersecurity. Through this experience, the Coalition has repeatedly seen the benefits of using a voluntary, consensus-based, industry-led approach to setting security standards, and the Coalition encourages CPSC to use this approach to set safety standards for IoT devices. This approach is particularly well-suited for this task due to the close connection between safety standards and security standards for IoT devices and the diversity of the IoT market with respect to the functionality of IoT devices, the economic factors impacting the development of IoT devices, and the resources available to the manufacturers of IoT devices. Involving industry participants in the standards development process will enable CPSC to better account for the differences between the various IoT devices to create standards that are flexible enough to provide robust protections for consumers where needed without driving up costs or limiting innovation where additional measures are unlikely to result in better safety outcomes for consumers.
Additionally, this approach to standards development has proven to be very effective in the cybersecurity space. NIST used a voluntary, consensus-based, industry-led approach to develop the Cybersecurity Framework, which has been widely used by industry participants to achieve better security outcomes since its initial release.2 NIST has continued to use this approach as it builds on the initial framework with subsequent updates, seeking input from industry participants throughout the update process.3 Because NIST worked closely with industry participants, the Framework provides guidance to industry on appropriate cybersecurity measures while permitting companies to adapt the Framework to the specific security needs of their products.
The Coalition further encourages CPSC to work with the cybersecurity community in establishing safety standards for IoT devices. The RFC identifies two broad goals for safety standards for IoT devices: (1) the prevention or elimination of hazardous conditions designed into products and (2) preventing and addressing incidents of hazardization, which includes instances where a product becomes unsafe due to malicious, incorrect, or careless changes to the operational code.4 NIST, NTIA, and standards development organizations have deep experience with secure product development standards and other security standards that are relevant to preventing the hazardization of products by malicious actors. These organizations also have deep experience with the voluntary, consensus-based, industry-led approach. Additionally, they have already begun identifying standards that are likely to be relevant to both the safety and security of IoT devices.5 This experience with both existing standards and the standards development process will be invaluable in any effort to develop safety standards for IoT devices. CPSC should also work closely with these organizations to make sure that any safety standards it develops do not conflict with current security standards.
The Coalition does not support establishing a certification process for IoT devices, as it believes such a process would likely be too rigid for the IoT market. Because of the diversity of consumer products in the IoT market, creating a single standard that addresses safety concerns across all products would be difficult, if not impossible. It could also make low-risk products that are designed to be inexpensive too costly to produce at the price point that consumers are willing to pay for the product, which could result in some IoT devices never making it into the market. The voluntary, consensus-based, industry-led approach discussed above provides industry participants with the necessary tools to ensure their products are safe while still providing them with the flexibility needed to bring a variety of new and exciting IoT products to the market.
The Coalition thanks CPSC for its leadership in this important effort. We value the opportunity to participate in this discussion by submitting this comment and making an oral presentation at the upcoming hearing. We look forward to continuing to work with CPSC on efforts to improve the safety and security of IoT devices.
1 The views expressed in this comment reflect the consensus view of the Coalition and do not necessarily reflect the views of any individual Coalition member. For more information on the Coalition, see www.cybersecuritycoalition.org.
2 See NIST, Framework for Improving Critical Infrastructure Cybersecurity, v 1.0 (February 12, 2014), https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf. 3 See NIST, Framework for Improving Critical Infrastructure Cybersecurity, v 1.1 (April 16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
4 83 Fed. Reg. 13122, 13123 (March 27, 2018).
5 NIST, Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things, Draft NISTIR 8200 (February 2018).