On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
NIST Releases Draft Framework on the Internet of Things
The draft document tackles a set of complex challenges presented by the emergence of cyber-physical systems (also known as the Internet of Things). NIST recognizes that the same attributes of these systems that present boundless opportunity are also a source of vexing challenge. The pervasive interconnectedness and flexible design of modern systems allows cell phones to be effectively repurposed as mobile traffic sensors, providing drivers with real-time data about the road ahead. Yet as the channels for information sharing proliferate, so too do the opportunities for compromise. The Federal Bureau of Investigation (FBI) recently released a bulletin warning consumers of the increased risk of cyber crime presented by the Internet of Things. The bulletin notes that cyber criminals are increasingly exploiting unsecured wireless networks not only to steal data but also to remotely control devices.
NIST proposes to overcome these challenges by providing a common set of considerations for the design of devices and a common language to allow designers to promote interactions between devices. The latest release retains the organizing framework of earlier drafts, but includes significant revisions to focus on creating an actionable set of recommendations. As before, the document organizes systems into a set of “domains,” which are the broader environments in which CPS devices operate. “Facets” describe the common activities required to develop systems, while “aspects” are the cross-cutting concerns that accompany the development process. (We describe this Framework in more detail in a previous post regarding an earlier discussion draft).
Although the tripartite domains-facets-aspects structure remains, NIST overhauled much of the terminology to improve clarity and added significant detail to the Framework. For example, the Framework now recognizes that while some devices may be developed through a linear sequence, many devices emerge through reverse engineering, are layered on top of existing devices, or arise from gaps in between existing systems. These varied design processes are integrated into the Framework, providing a flexible structure for conceptualizing the development of new technologies.
If widely adopted, the CPS Framework could relieve some pressure on legislators and regulators to create more rigid regulatory frameworks. This year alone, the House and Senate have held hearings on the Internet of Things, and the FTC released a report on the privacy and security risks presented by the Internet of Things. But most lawmakers and regulators appear unpersuaded that specific regulation is necessary, at least in the near term. In March, the Senate unanimously approved a bipartisan resolution urging Congress to adopt a “light touch” to regulation of the Internet of Things. The FTC is likely to continue to use its flexible authority under Section 5 of the Federal Trade Commission Act to enforce privacy and security practices surrounding the Internet of Things. Despite its interest, the FTC has brought only one enforcement action relating to the Internet of Things, and Commissioner Maureen Ohlhausen recently urged regulators to practice “regulatory humility” with respect to the Internet of Things. Meanwhile, industry has proactively considered the privacy and security implications of the Internet of Things: the Auto Alliance released a set of consumer privacy principles that are enforceable by the FTC.
While it is too early to predict the impact of the NIST CPS Framework, the success of the NIST Cybersecurity Framework suggests that the CPS Framework is likely to have broad influence. Public comments on the document will be accepted until November 2, 2015, using a form available here. A NIST representative has indicated that a second draft release is likely following the CPS PWG’s review of public comments.
Brian Kennedy, an associate in our Washington, D.C. office, contributed to this entry.
The French Data Protection Authority (CNIL) has announced its inspections program topics for 2016, with health data, flight passengers’ data, and data used for marketing and Internet...20 May 2016
The benefits of using Unmanned Aircraft Systems (UAS) for tasks from catastrophe response to infrastructure inspection to construction site monitoring, and everything in between, are great. ...19 May 2016