In the US, the Federal Trade Commission (FTC) has recommended that a working group convened by the US Commerce Department's National Telecommunications and Information Administration (NTIA) create guidance for Internet of Things (IoT) device makers modifying “key elements,” such as whether and how devices receive security updates.
The commission also suggested telling consumers when support for a device would end and, according to a release, “if a ‘smart' device will lose basic functionality after security support ends” as well as if they “would expect a similar ‘dumb' device to have a longer, safer lifespan.”
The FTC acknowledged the "enormous benefits" of IoT and called for "reasonable steps" to bolster security and privacy.
Earlier in June, the FTC's Bureau of Consumer Protection weighed in with comment at a Consumer Product Safety Commission (CPSC) hearing on IoT security, making recommendations on updating devices, government oversight of device makers, raising consumer awareness and risk assessment.
“The suggestion that the Consumer Product Safety Commission (CPSC) simply requires manufacturers to disclose the cyber-safety of their products and then let the consumer decide is not going to solve the problem,” said Andrew Lloyd, president of Corero Network Security.
Contending that there are few examples of consumers opting to pony up more money for safety or security, Lloyd pointed out to the automobile industry where carmakers are required to outfit vehicles with seatbelts and airbags. “Almost none of us asks how good they are and we don't find out until we need them to protect us from harm'” said Lloyd. “The reason for this is that the authorities have devised certificated standards that provide safety assurance.”
Likewise, governments worldwide must “ensure that their citizens are protected by adequate cyber-safety standards,” he said, and “if a product does not meet those reasonable standards then it should not be for sale.”