The FTC's Wait-and-See Stance on Internet of Things Seems Not-Good

Maureen Ohlhausen, President Donald Trump’s acting head of the Federal Trade Commission (FTC) has advocated for a “wait-and-see” approach to regulating the internet of things, which after the massive cyber attack in October 2016 that nearly crippled America’s internet infrastructure, seems like a terrible, very bad, no-good idea. It’s literally the opposite course of action one should take when addressed with a technological problem like this.

Speaking to The Guardian this week, Ohlhausen defined her agency, whose purpose is to protect American consumers, as “primarily a law enforcement agency” and “not primarily a regulator.”

According to Ohlhausen, the FTC’s job is not to speculate about what might harm consumers “five years out,” but rather to react to threats against them as they appear. It’s an approach in keeping with Trump’s desire that, for every new government regulation, two existing ones must be scrapped.

Such an attitude is far from what’s required to keep American consumers safe online. That October attack, which was likely conducted by Chinese actors using what has been called a Mirai botnet, crashed the servers of Dyn, a company which itself serves many businesses in the U.S. and elsewhere.

Dyn fell victim to a DDoS — or distributed denial of service — attack, which enlists internet-connected devices, from laptops to nanny cams, to send innumerable requests at the target’s servers, and thereby knock them offline.

As such, there were countless “sources” for the attack, making it harder both to stop and to trace. Since then, calls to implement “industry standardization in IoT devices” have increased, as a lack of such standardization directly contributed to the severity of the October attack.

New FTC regulations would go a long way toward making the necessary security standardizations a reality, and therefore towards protecting American businesses and consumers online. The technical details of standardization are as complex as they are numerous, but suffice it to say that, when tech companies are simply left to their own devices, implementing preventative measures that work across all platforms is extremely difficult, even impossible.

But it seems that Ohlhausen would rather the tech industry self-regulate against such problems, leaving a vital national security issue in the hands of individual companies. There’s one big problem with that strategy. Consumer tech companies in a competitive marketplace haven’t shown they are willing to invest in security technology if it means their product will be more expensive.

“There’s an incentive for a lot of these companies to overlook security, and maybe try to deal with it after the fact,” Efflux Systems CEO and co-founder Mike McNerney told Inverse after the attack in October.

Ohlhausen did “recommend a voluntary set of standards suggested by an industry trade association called the broadband internet technology advisory group (Bitag),” but, again, gave no indication that the FTC plans to enforce those or other requirements, despite being legally permitted to do so.

The kind of wait-and-see attitude that Ohlhausen has adopted works just fine when trying to determine the severity of, say, a faucet leak. Less so when it comes to keeping the internet online. Ohlhausen will have a lot to answer for when millions of people are suddenly unable to get on Netflix.