NTIA Holds Virtual Meeting of Multistakeholder Process on Internet of Things Security Upgradability and Patching

On July 18, 2017, the National Telecommunications and Information Administration (“NTIA”) hosted a virtual meeting of its multistakeholder process to address Internet of Things (“IoT”) patching and security upgrades. The July 18th meeting represents the fourth gathering of multistakeholders in this process.

During the July 18th meeting, four working groups presented: (1) the Communicating Upgradability and Improving Transparency working group; (2) the Incentives, Barriers, and Adoption working group; (3) the Standards working group; and (4) the Technical Capabilities and Patching Expectations working group.

The Communicating Upgradability and Improving Transparency working group reached consensus on a final draft document that outlines a communications framework for manufacturers to consider before consumers buy their products. Members of the working group were quick to emphasize that their guidelines are not meant to supersede regulation or serve as a legal standard. Instead, the working group sought to identify and consolidate critical points it recommends manufacturers weigh as they develop IoT devices.

According to the final draft, “key” considerations manufacturers should communicate to consumers include:

  • Whether the device can receive security updates;
  • How the device receives security updates; and
  • The anticipated timeline for the end of security support.
The guidance also notes additional, less-critical considerations and discusses how manufacturers should notify consumers about updates.

Importantly, working group members noted there is no strategic plan for using the final draft going forward. Working group co-chairs noted they would like to see how the guidelines operate “in the wild” and that the framework could become part of the government’s effort to combat botnets and automated threats. The working group will discuss next steps on its next conference call, at a date still to be determined.

The three other working groups also presented status updates on their initiatives, which remain in earlier stages of drafting. NTIA plans a September 12, 2017 meeting in Washington, D.C. to attempt to reach consensus on these three drafts.

If you have questions about NTIA’s multistakeholder process on IoT issues, or would like to learn more about how to get involved, please contact the authors of this post.