IoT Security

An Overview of the Proposed DIGIT Act

Daniel Dimov
February 11, 2019 by
Daniel Dimov

1. Introduction

On 10th of January 2017, the U.S. Senate introduced the Developing Innovation and Growing the Internet of Things (DIGIT) Act that aims at addressing issues related to the growing number of interconnected devices in the U.S. and designing strategies for maximizing their potential and benefits for businesses, governments, and consumers. Although the Act is not extensive (its length is just six pages), it constitutes the first major initiative of the U.S. government within the domain of the Internet of Things. In this article, we will discuss the findings of the U.S. Congress as presented in the Act (see Section 2) and comment on the strategic plan for the Internet of Things proposed by the Act (see Section 3). At the end of the article, a conclusion is drawn (see Section 4).

2. The findings of the U.S. Congress

The DIGIT Act contains a detailed description of the findings of the U.S. Congress in relation to the Internet of Things. The findings are examined in more detail below.

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

First, the Act defines the Internet of Things as "the growing number of connected and interconnected devices." The definition is broad and may include not only Internet-connected devices, but also phone, television, and radio networks. In our opinion, the term "Internet of Things" has a narrow scope, namely, the use of the Internet for controlling, monitoring, tracking, and interconnecting everyday objects.

Second, the Act mentions an estimate indicating that more than 50,000,000,000 devices will be connected to the Internet by the year 2020. This number most probably encompasses devices which are connected both wirelessly and by cable. This is because ABI Research, a technology market intelligence company, estimated that, by 2020, there would be more than 30 billion wirelessly connected devices. 40% of these 30 billion devices will include hub devices, such as laptops, tablets, and smartphones. 60% of the devices will be node or sensor type devices.

Third, the Act states that the Internet of Things has the potential to generate trillions of dollars in economic opportunities. Forbes even calculated that, by 2020, the Internet of Things would be a market worth USD 19 trillion.

Fourth, the Act notes that, by utilizing the Internet of Things and related innovations, businesses across the United States can cut costs, simplify logistics, and pass savings on to consumers. This brief summary of the advantages of the Internet of Things is by no way exhaustive. For example, the Organization for Economic Co-operation and Development (OECD) mentions that the Internet of Things can facilitate the so-called "next production revolution" (NPR) which is marked by three key trends, namely, (1) the rise of the digital economy, (2) the increasing importance and mainstreaming of knowledge-based capital, and (3) the spread of global value chains. Stacey Frederick from Duke University defines the term "global value chains" as "the full range of activities that firms and workers do to bring a product/good or service from its conception to its end use and beyond."

Fifth, the Act points out that the United States is a world leader in the development of Internet-supporting technologies and its technology sector is well positioned to lead in the development of the Internet of Things. In this regard, it should be recalled that the term Internet of Things was coined by an American (Kevin Ashton) and a major portion of the initial research on the Internet of Things was conducted by American institutions (notably the Massachusetts Institute of Technology, New York University's Interactive Telecommunications Program, University of California, Microsoft Research, Intel Research and Equator, and Georgia Tech's College of Computing).

Sixth, the Act argues that the United States Government can implement the Internet of Things to better deliver services to the public without specifying particular implementation strategies. The government can benefit from the Internet of Things by using data from Internet-connected devices to make governmental decisions. For instance, information from sensors installed in cars can be used for the purpose of road management.

Seventh, the Act refers to the Senate Resolution 110 calling for a national strategy for the development of the Internet of Things. The strategy should have three goals, namely, (1) empowering consumers, (2) fostering future economic growth, and (3) improving the collective social wellbeing of the people of the United States.

3. The strategic plan for the Internet of Things

The Act envisages the creation of a working group of Federal stakeholders to provide recommendations to Congress on how to plan and encourage the proliferation of the Internet of Things. The working group will be responsible for examining the following five aspects of the Internet of Things: current and future spectrum needs (see Section 3.1); the regulatory environment (see Section 3.2); consumer protection (see Section 3.3); privacy and security (see Section 3.4); and the current use of the technology by Federal agencies (see Section 3.5).

3.1 Current and future spectrum needs

The Internet of Things has already imposed heavier requirements on the spectrum than have previously been encountered. In the future, we can expect even more pressure on the spectrum, as the mobile broadband demand will most likely increase. By accurately estimating the current and future spectrum needs, the U.S. government will be able to encourage the development of innovative technologies that enable the spectrum to be used more productively.

3.2 The regulatory environment

The Internet of Things can present regulatory challenges since it creates complex data interactions between various parties. To identify and possibly address these challenges, the working group will examine the regulatory environment related to the Internet of Things, including sector-specific regulations. For instance, Internet-connected devices used for conducting credit and debit card financial transactions must adhere to the payment card industry (PCI) standards. Military systems normally require DOD Information Technology Security Certification and Accreditation Process (DITSAP) and DoD Information Assurance Certification and Accreditation Process (DIACAP) certification and accreditation. Consumer-wearable technology sharing data about blood pressure and heart rate may require compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

3.3 Consumer protection

The working group will most probably examine a large number of consumer protection issues related to the Internet of Things. For example, it may discuss the lack of transparency and difficulties in ascertaining liability. As for the lack of transparency, consumers may be unable understand how a device, product, or service is functioning. The reason lies in the complexity of interconnected systems. To illustrate, a smart TV may transmit data about watching habits to producers, payment processors, advertisers, and other third parties. Consumers may not be aware of the content of the privacy policies governing the smart TV due to the legalese in the document. The difficulties in ascertaining liability stem from the involvement of multiple parties in the inter-networking of connected devices. For example, if a user is unable to complete a payment transaction through an Internet-connected device, the fault may be found in the systems of an Internet service provider (ISP), payment facilitator, or the device itself.

3.4 Privacy and security

The Internet of Things may pose at least three major privacy and security threats, namely, unlawful surveillance, active intrusion in private life, and data profiling. Each of these three threats will be examined below.

  • Unlawful surveillance. The Internet-connected modules comprising the Internet of Things can be used for unlawful surveillance. For instance, hackers may, without authorization, monitor the location of people using smart watches and observe children through cameras installed in their toys. Such threats are not just mere speculations. Researchers have already discovered numerous security loopholes in Internet of Things devices, such as modules installed in cars, children's toys, and medical equipment.

  • Active intrusion in private life. The Internet-connected devices may allow hackers not only to monitor their victims but also to interfere in their lives. This is because most Internet-connected modules are installed in devices that can be remotely controlled. To illustrate, a criminal may remotely stop a heater or a refrigerator.

  • Data profiling. Sellers of Internet of Things products and services can use the data collected from such devices to create detailed profiles of the users of the devices. The profiles can, in turn, be used for targeted advertising, i.e., reaching consumers on the basis of their profiles. For instance, consumers who use their Internet-connected coffee machine to prepare mainly espresso will receive more advertising about this type of coffee drink than consumers who use their coffee machine to prepare cappuccino. Targeted advertising may limit consumers' personal autonomy as they may not want to receive ads based on their preferences.

3.5 The current use of the Internet of Things by federal agencies

Federal agencies already have implemented various Internet of Things projects. For instance, the General Services Administration's (GSA) Smart-Buildings initiative aimed to make federal governmental buildings more efficient through the implementation of Internet-connected technologies. The initiative was launched in 2012 as a response to President Obama's 2009 executive order to reduce the energy consumption of federal buildings by 30%. During the first phase of the project, the U.S. government installed thousands of sensors into 50 governmental buildings. The sensors collected data related to operational efficiency and energy use. According to the GSA, the initiative resulted in USD 15 million of annual savings.

To fully benefit from the Internet of Things, federal agencies need to address at least the following five challenges related to the use of the Internet of Things: (1) lack of technological expertise; (2) lack of funding necessary for implementing Internet of Things projects; (3) lack of vision on how to implement Internet of Things projects; (4) red tape; and (5) concerns about interoperability, privacy, and security. The working group envisaged in the DIGIT Act will likely discuss these challenges and propose approaches for addressing them.

4. Conclusions

The DIGIT Act stresses the importance of the Internet of Things for the social and economic development of the United States and creates a working group aiming to prepare a national strategy for the Internet of Things. The strategy should facilitate the rapid development of the Internet of Things. The strategy is important as no country can benefit to the maximum possible extent from the Internet of Things without adopting proper regulations, just as no country can do so without a strong private sector, which is not hindered by excessive regulation.

Check out these articles:

The Internet Of Things In Healthcare

Internet of Things (IoT) Evolution: Where to From Here?

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

References

  1. "A Bill to ensure appropriate spectrum planning and interagency coordination to support the Internet of Things", U.S. Senate. Available at https://www.fischer.senate.gov/public/_cache/files/03de7771-088b-45ac-8552-f82ddc0aa480/digit-2016---final-bill-for-filing.pdf.
  2. 'All Bill Information (Except Text) for S.88 - DIGIT Act', 115th U.S. Congress. Available at https://www.congress.gov/bill/115th-congress/senate-bill/88/all-info.
  3. 'A resolution expressing the sense of the Senate about a strategy for the Internet of Things to promote economic growth and consumer empowerment. ', 114th U.S. Congress. Available at https://www.congress.gov/bill/114th-congress/senate-resolution/110/text.
  4. Brous, P., and Janssen, M., 'Advancing e-Government using the internet of things: a systematic review of benefits.' International Conference on Electronic Government. Springer International Publishing, 2015.
  5. Castro, D., New, J., McQuinn, A., 'How Is the Federal Government Using the Internet of Things?', 25 July 2016, Center for Data Innovation. Available at http://www2.datainnovation.org/2016-federal-iot.pdf.
  6. Dawson, M., Eltayeb, M., Omar M., eds., 'Security Solutions for Hyperconnectivity and the Internet of Things'. IGI Global, 2016.
  7. Dimov, D., 'Privacy Implications of the Internet of Things', 14 November 2013, InfoSec Institute. Available at /privacy-implications-internet-things/#gref.
  8. Greenough, J., 'The 'Internet of Things' Will Be The World's Most Massive Device Market And Save Companies Billions Of Dollars', Business Insider, 18 November 2014. Available at http://uk.businessinsider.com/how-the-internet-of-things-market-will-grow-2014-10?r=US&IR=T.
  9. Priestley, T., 'The Internet Of Things Is A Fragmented $19 Trillion Roulette Gamble', Forbes, 5 October 2015. Available at https://www.forbes.com/sites/theopriestley/2015/10/05/the-internet-of-things-is-a-fragmented-19-trillion-roulette-gamble/.
  10. 'The Global Value Chains Initiative', Duke University. Available at https://globalvaluechains.org/concept-tools.
  11. 'The Internet of Things and challenges for consumer protection', Consumers International, April 2016. Available at http://www.consumersinternational.org/media/1657273/connection-and-protection-the-internet-of-things-and-challenges-for-consumer-protection.pdf.
  12. 'The Internet of Things: 19 Trillion Dollar Market', Bloomberg, 10 April 2017. Available at https://www.bloomberg.com/news/videos/b/f329fe55-53ef-46a2-abe3-fdbc6c411617.
  13. Unwin, T., 'Reclaiming information and communication technologies for development'. Oxford University Press, 2017.
  14. 'Working Party on Communication Infrastructures and Services Policy', OECD, 24 May 2016. Available at http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=DSTI/ICCP/CISP(2015)3/FINAL&docLanguage=En.
  15. Zhou, H., 'The Internet of Things in the Cloud: A Middleware Perspective', CRC Press, New York, 2013.

Co-Author

"Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master's degree in IP & ICT Law."

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.