Public Hearing on the “Internet of Things and Consumer Product Hazards” Part 1

Okay I think in the interest of time we
will begin our hearing this morning good morning and welcome to this public
meeting of the United States Consumer Product Safety Commission we have one
item on our agenda this morning and that is a public hearing for the Commission
to receive information from all interested party parties about potential
safety issues and hazards associated with internet connected consumer
products CPSC’s mission is aided greatly by the input and the insight of our
stakeholders and so I am very grateful today for our presenters for taking the
time the effort to come in and share their thoughts and their expertise with
this commission your input is truly invaluable to the agency presenters have
been divided into three panels each presenter will have ten minutes to
deliver their comments our secretary ms Alberta Mills will keep track of the
time for us as always thank you to miss Mills miss Hammond and all of the office
of the secretary for their invaluable assistance today presenters I would ask
you to just watch the lights in front of you to track your own time the yellow
light indicates you have one minute left remaining in your time to talk in
addition the office of the General Counsel’s here is to ensure our
discussions are germane to the announced topic following the panelists
presentations commissioners will have ten minutes each for questions we will
have one round of commission questions per panel after our second panel around
1:05 p.m. we will break for lunch out of respect for all of our panelists I will
make every effort to stay on time so our participants can meet whatever
obligations they may have throughout the day the written comment period will be
open on through June 15th 2018 so if there’s something
additional you wish to comment on that you didn’t get a chance to say today
please know that this is not your only opportunity to share your thoughts with
us but there is well there will be of time where you can add any comments you
might have with that I will begin with panel one this morning joining us we
have Ari Schwartz from cybersecurity coalition and I would ask
all of the panelists if I pronounced your name incorrectly please feel free
to to correct me in Bridget Oh Kaka is that correct I coca a coca Bridget a
coca from oacd the Working Party on Consumer Product Safety Rachael
Weintraub from the consumer consumer federation of america and kathleen
McGuigan retail industry leaders Association thank you to all of you for
being here this morning and with that we begin with mr. Schwartz good morning
thank you for having me I’m here today representing the the cybersecurity
coalition which is a coalition of 14 major companies that are engaged in
cybersecurity and protecting consumers and in enterprises using cyber security
software and services focused we tend to focus on issues in depth rather than
kind of trying to cover a broader landscape of all the issues we try to
work on very specific issues and Internet of Things as one of those
issues that we have focused on in more detail the first area that I’d like to
focus on today is to talk a little bit about safety and security and how in
some in many cases we pull those apart and we try to find the differences
between safety and security so we have different groups working on them but in
this area safety and security are somewhat inextricably linked
when you have a denial of service attack that shuts down a particular product or
that people rely on that that that situation ends up both putting security
and safety at risk when someone’s personal information has been stolen or
taken from them and is being used against them that can put their safety
at risk as much as a Pitzer security at risk so therefore we do think that this
is an area where groups that work on safety government agencies and other
organizations that work on safety should be involved in security and should be
looking at security and we thank you for your diligence and
not this matter today the secondary I want to talk about was focus on the
building of voluntary consensus and based an industry-led standards it’s our
view that any effort in this space must rely on voluntary standards and that
those standards must be consensus based and this area we are just beginning to
see those grow we are seeing the products come out at the same time that
we are seeing these standards but in place but we are seeing these standards
come about and I’ll give two examples of areas where we’re starting to see some
efforts in this area in the space the first is that what’s called a
manufacturer use description or mud which is a prop a protocol that’s being
developed at the internet Engineering Task Force and the goal of mud is really
to try and give a way for manufacturers to say what their product is supposed to
do and how it’s supposed to work so for example if you have a baby monitor and
it’s supposed to record sound that end is supposed to travel over a certain
Internet Protocol that all can be transmitted through the mud protocol and
people can say exactly what type of bandwidth you’re expected to see out of
that that makes it so that a network can read that information and make
determinations about whether that product is doing what it’s supposed to
do and then they and if it’s not doing what it’s supposed to do the network can
can automatically shut it off or cabinet so that a sandbox it so that it can be
only used for certain it can’t touch other areas this is helpful for solving
a lot of the problems that we have with connected devices where we see devices
that are being used to attack other devices are in other parts of the
network or being used it to implant malware so if we can figure out exactly
what is what a products supposed to do in cabinet to do only those things then
it can be better we can better protect the security moving forward secondly
other areas of there we see standards developing
cybersecurity coalition in one of the areas that we’re working in is to
develop profiles under the NIST framework in areas that can help for IOT
in particular we have – we have built a DDoS profile to direct distributed
denial of service attack profile that will help to people to mitigate take the
steps that they need to do to mitigate denial of service attacks and we’ve also
built our building one on botnet mitigation that will allow when a device
has been taken over to be used and for the purpose of a denial service attack
that people can look for the things can put up the protections and also
remediate a botnet whenever when their device has been turned in to part of a
botnet so that’s those are areas that we feel are extremely important we’re doing
this under the NIST cybersecurity framework which is the the leading
worldwide leading protocol for doing risk management for cybersecurity and
that brings me to the third area which is that CPSC should engage with
cybersecurity community I know this might be difficult to believe but not
everyone follows every proceeding at the hit CPSC with bated breath though the
way they did a lot of people in this room do and the cybersecurity community
I don’t think is very used to engaging with the CPSC we have tried to track
from this the cybersecurity coalition we represent more of the larger groups
though in a cybersecurity community and a lot of the innovation is happening
with the smaller companies some of whom are our members as well but I think that
it would behoove the the CPSC to reach out to the cybersecurity community where
a lot of great work is being done on IOT and and defense in this area lastly I
want to discuss the the issue of building a single certification standard
in this space we get very concerned when we hear people talk about building a
single certification for IOT and the reason for that is even though we do
certifications I mean the the members of the the cybersecurity coalition are some
of the people that actually do stuff so cybersecurity certification in this area
we do those services an IOT certification would be very difficult to
do because of the vast array of different kinds of devices we’re talking
about we’re talking about I know there’s a lot of focus at CPSC on toys we’re
also talking about lightbulbs we’re talking about health devices that may be
out of may be in or out of the CPSC’s jurist current jurisdiction we’re
talking about a wide range of different kinds of devices that hook up to
different things developing certifications in this space
is possible but it would have to be cabined more toward certain types of
devices at a time because each one has its own way of looking at it it’s more
part of the reason we think it’s important to focus on standards like mud
which specify what kind of devices and what they do and help to to cabin those
devices for those purposes so I think the idea of coming up with a single
standard runs counter to where the industry is going in terms of trying to
figure out how to deal with IOT multiple different kinds of certification is a
possibility we would prefer to see those again started in a voluntary fashion and
develop over time as this space began continues to grow thanks again for
having me and I’m happy to answer any questions thank you very much mr.
Schwartz mr. mr. coca thank you madam chair for the opportunity to present
today the activities of the OECD Consumer Product Safety working parties
over the past 18 months the Working Party has devoted a lot of attention
looking at the impact of the Internet of Things on Consumer Product Safety
including at a roundtable on connected consumers that was held in last October
but also in a report that was released just two months ago on Haddock safety in
the Internet of Things and I will try to answer today some of the questions that
were included in the notice for this hearing based on the findings in the
guhshin are the connected round table connected consumers round table and the
report but I’m afraid that I have actually many more questions to raise
today as like the US CPC many other OECD consumer safety agencies and agencies
also in non-oecd members that participate in our activities have at
the moment so first of all when we started looking at IOT we try to
understood to understand sorry what we were talking about and there is no
internationally agreed definition of the arity but it is basically understood as
a system through which devices are connected to the Internet to each other
and to users consumers and at the core of that system is data as it’s been
described in the notice data about consumer behavior that enables
businesses to actually innovate and produce very sophisticated products that
can be customized that can improve over time and that can learn from their
environment throughout the lifecycle and on that note it is important to
understand that the IOT is being increasingly paired with other
technologies and that the OECD we are actually looking at the IOT with other
technologies such as artificial intelligence and the market in many osed
countries is growing not as rapidly as everybody would have thought actually
for a number of reasons and problems it involves not only a new range of complex
products but also new players that produce these products and also ensure
their maintenance and I would like to note that among these players is now the
consumer that also for some products is also involved in in in the production
and the use of these products and whether these products are spreading in
an environment with consumer product safety regulation policy framework that
is actually equipped to address the emerging risks and challenges for
consumers is the main issue that the OECD has been looking at in the past
during the past 18 months and we will continue exploring this as as I said in
many osed countries and non-members we have a lot of questions and what we have
seen is that product safety in those countries tend to regulate physical
goods physical products rather than as I just explained products that can evolve
over time and that includes intangible digital content products such as
software and I should stress that the OECD has not only explored in its work
the challenges that are arising in this space for consumers but also we have
carefully looked at all the many benefits many product safety benefits
that the IOT is bringing to consumers and also to to businesses and we do
think that we should keep those benefits in mind as we try to come up with policy
solutions to emerging risks I just wanted to flag some of these
benefits which include enhanced product tracking and traceability the
possibility for consumers to remotely use their IOT products including with
safety features from afar also the possibility for businesses to identify
at a very early stage any defects with their connected products and the
possibility for businesses to reach out to consumers to identify them very
quickly to allow them of any consumer product safety issues with their product
and also about the need and actually the the existence of a product recall that
consumers should be aware of and I should actually add that we just had in
last April an interesting workshop oacd workshop on product recall effectiveness
and we heard from some businesses that there are now able today to prevent
consumers from continuing to use unsafe IOT products and we know that
unfortunately consumers continue to do so despite many other
from businesses but in fact businesses are also able now to force consumers to
stop using these products they just switch off through software updates
these products at a distance with respect to the emerging challenges that
have been identified in countries again this is a very nascent market for
consumers and when we asked our our agencies to come up with examples of
problems that consumers are facing in this space we didn’t hear much actually
many examples from them we have actually collected some examples throughout our
research and the reporter that was mentioning at the beginning of my
presentation and many of these problems have been identified once again in the
notice and I should say as well in the US CPSC staff report on new technologies
that we carefully looked at when we developed our own report on the Internet
of Things I can just mention a product malfunction that is a result of a
software date all the result of a consumer failing to actually push a
software update and I would like to pause here for a second to ask
additional questions on this what do we know about software dates and related
consumers expectations do consumer think that they’re connected products should
update themselves automatically or should they do they think that it should
be for the business to actually decide whether they should consent or not to
these updates each time and a date is then necessary do manufacturers have to
go through certification and conformity assessment processes each time an update
is to be carried out and how long do manufacturers and perhaps also other
stakeholders in the supply chain have to provide software updates we don’t have
yet the answers to all these questions and there seems to be however consensus
on the fact that consumers should be informed about their rights and
obligations when they use these new products including whether their
products might receive some security updates and other software or days that
protects consumers from any vulnerabilities and I just mentioned at
the outset of my presentation that the IOT is being paired now with artificial
intelligence and there have been a few examples in countries where in recent
years of accidents and deaths unfortunately due to for example an
autonomous car failing to distinguish for example a white track on the highway
and confusing it with with the blue sky or in another case more recently a
pedestrian being killed by a car using autopilot mode on the street consumer
safety may also be at risk when one or several products connected to the two an
IOT system are not interoperable with each other and leading to the failure of
the entire IOT system and finally I just wanted to mention what was just
presented about the Internet intersection between product safety and
secure and digital security the fact that we have seen in recent years some
hackers being able to hack into a system and lead to consumer a jury hack hacking
into a baby phone hacking into a smart smart lock system that is raising new
issues and perhaps the need for rethinking what product safety is what a
safe product is what a product is what a defect is when we know again that a
product can become defective due to an unsafe order them as decision of a
device or hacking into a system and what what does the product mean again as I
said earlier you know most product safety legislation refer to tangible
product but when we have intangible products at stake do we think that
existing legislation cover these products just wanted to note
finally that all these questions were discussed recently in last October at an
OECD conference on artificial intelligence and that we will continue
discussing about the intersection between product safety and liability in
our future work and we will organize very soon a conference on the Internet
of Things AI and product safety jointly with the European Commission in next
November probably during the International Consumer Product Safety
Week and we do look forward to continuing working with the US EPA and
other agencies on these issues thank you thank you very much mr. coca miss
Weintraub thank you so much I offer today’s testimony on behalf of myself as
well as my colleague Susan grant who’s CFA’s director of privacy and consumer
protection Consumer Federation is an association of nearly 300 nonprofit
consumer organizations across the United States to give a sense of the scope of
the problem the research firm Gartner estimated by that by the end of 2017
there would be eight point four billion connected things in use worldwide of
which more than five billion would be consumer applications and that by the
year 2020 these numbers will have more than doubled in an article Bruce miner a
cyber security expert wrote with the advent of the Internet of Things and
cyber-physical systems in general were given we’ve given the Internet hands and
feet the ability to directly affect the physical word world what used to be
attacks against data and information have become attacks against flesh steel
and concrete we are concerned that these attacks against flesh steel and concrete
can lead to product safety injuries deaths and property damage while the
Internet of Things offers many potential benefits for consumers there are many
concerns as well including concerns about safety and security and it is
crucial for policy makers to put adequate
protections in place the January 2017 CPSC staff report potential hazards
associated with emerging and future technologies noted the advantages for
consumers of home-based smart appliances alarm systems thermostats and medication
monitors and other connected devices but also pointed out that these products may
have little internal security or could have defects that pose hazards the
report stated each smart device represents an opening to hackers or
software failures that can interfere with the device’s basic operation one
potential hazard is that a homeowner may believe that an alarm is seemingly
functional yet through software bugs or intentional interference the safety
device is not responsive to conditions like rising co levels and does not alert
the household not only alarms or monitor ceasing to function could create a
safety hazard if a connected device starts operating when it should not due
to a software defect or intentional interference for instance an oven
toaster or coffee machine turning on and overheating this could cause a fire or
other serious damage wearable devices such as activity trackers and
smartwatches constitute another serious area of concern especially given their
popularity and wide use the CPSC staff report noted the potential for burned
skin irritations hearing damage and other physical harms that may be caused
by wearables the CPSC staff report also cited concerns that electronic
disturbances could prevent connected products from operating properly as
designed a paper about product safety and the IOT recent released by OECD
cited this and other points made in the CPSC staff report and outlined other
potential safety risk for instance lack of implementing software updates could
affect the operation or security of connected products
planned obsolescence may affect how the products function data used by the
products could be incorrect affecting their operation and augmented reality
applications may miss identify an object in the real rule real world causing
physical harm the collection and use of personal data from connected
devices also raises safety concerns the CPSC staff report cites as one of the
risks of wearable devices that they may collect sensitive personal data from
health related information to the GPS location of children we believe that
this is a safety concern that the CPSC should consider resources from the
public and private sector encourage good practices concerning designing and
deploying connected devices for instance the online trust Alliance an initiative
of the Internet Society has published an IOT trust framework which covers
security considerations for connected devices in the public sector interagency
international cybersecurity standardization working group recently
issued the draft NIS TIR 8200 interagency report on the status of
international cybersecurity standardization for the Internet of
Things to inform and enable policy makers as they seek timely development
of an use of cybersecurity standards and IOT components systems and services
while best practices and voluntary standards are helpful they may not be
adequate to protect consumers from the potential safety risks of using
connected devices as noted in the OECD paper the IOT raises three policy
challenge the impact of IOT on distinctions between hardware and
software products and services the question of liability and communicating
safety to consumers last year consumers international an association of
nonprofit consumer organizations around the world issued principles and
recommendations for fostering consumer trust in IOT among other things CI
called for the concept of safety in general and sector specific product
safety legislation to be broadened to reflect new cybersecurity data
protection and product safety concerns as well as the development of
international standards and the adoption of best practices in addition C I
recommended that connected devices should be easily upgradable and adapters
and other connection points should be compatible with each other to reduce new
interfaces from rendering them unusable in
number of 2016 the office of oversight and investigations Minority Report
issued issued the children’s connected toys data security and privacy concerns
paper the report documents the unequivocal responsibility that
manufacturers of connected toys have to address these concerns and a failure to
secure consumer data relevant to CPSC’s request for written comments
we urge manufacturers of connected products to address product safety
threats at the initial stages of the design process product safety risks
posed by connected products should be addressed as early as possible in the
design of the products manufacturers of connected products must show the same
commitment to addressing product risks regardless of whether the causes due to
software hardware or other design defect while mandatory standards are often
preferable because they are enforceable existing voluntary or mandatory
standards can be updated to include the unique product safety risks posed by
connected products for example ASTM f 9 63 which has been codified by the CPSC
is a mandatory standard could be strengthened to include hazards posed by
connected toys in addition to updating existing voluntary and mailing mandatory
standards strengthened product liability laws and having meaningful and effective
manufacturer codes of conduct we urge the CPSC to create an interagency
working group with the Federal Trade Commission and any other agency that
shares direct diction over connected products the interagency working group
should have clear goals clear deadlines and an unequivocal commitment to
effectively address the risks posed by connected products as an initial goal
within six months of its creation the interagency working group should prepare
a document that it will submit to Congress and make publicly available
which would describe the harms posed by connected products outline each agency’s
jurisdiction and authority to address these issues provide information about
the actions taken thus far by each agency to address the risks posed by
these products report on whether existing voluntary efforts are keeping
pace we the growth growth of connected products
and the risks they posed to consumers and finally make recommendations for any
additional authority and resources that are needed to better address these
hazards the public would benefit from the sharing of agency expertise and
knowledge and from a joint commitment to addressing the risks posed by connected
products in conclusion we appreciate that the CPSC is holding this hearing on
the Internet of Things and consumer product hazards we urge the agency to
use its existing authority to address product safety risks posed by connected
products to engage with voluntary standards organizations to address these
issues and to work closely and concretely with other agencies that
share jurisdiction over connected products to jointly address product
safety risks posed by connected products thank you very much and thank you very
much Ms McGuigan good morning acting chairman commissioners and staff i’m
kathleen McGuigan senior vice president and deputy general counsel the retail
industry leaders Association by way of background
Rilla members include some of the nation’s largest and most innovative
retailers the retailer’s industry as a whole employs over 42 million Americans
and accounts for 1.5 trillion dollars in sales we are truly living in an age of
digital revolution new technologies and innovative applications are emerging
almost daily from smart lock door locks security cameras to smart smoke
detectors home appliances electronics smart cars personal care products and
wearables internet connected or IOT technology is being incorporated into an
increasingly ever ever wider array of consumer and industrial products these
products offer consumers efficiency and convenience and many have capabilities
as noted today that can increase consumer safety I want to thank you for
the opportunity to testify before you regarding the Commission’s important
roles and responsibilities related to IOT products rila members believe that
the CPSC’s activity in this area should have two
concurrent goals protecting the safety of consumers and promoting innovation we
believe that the CPSC can accomplish these goals by undertaking actions that
fall generally within three issue areas education collaboration and engagement
under the bucket of Education I’m really talking about internal education
government regulators are most effective when they understand the industry
products and services that the agency regulates to understand if and how the
agencies should act in this area it is critically important that the CPSC
invest in internal and external resources to enable the staff to engage
to understand IOT technology its uses and applications IOT products raise
complex issues and not all IOT products are created equal
individual IOT products will have diverse functions and capabilities
resulting in distinct potential safety risks and different ways to mitigate
those risks additionally IOT products raise unique
legal issues including product liability issues as still are being worked out
Rilla has long urged the CPSC to engage proactively on IOT issues this hearing
is an important first step in the agency’s educational journey but the
CPSC should not stop here we urge the CPSC to continuous outreach to a wide
range of stakeholders to learn about IOT technology and products fortunately
there are a lot of resources available for example the CPSC could reach out to
manufacturers software developers industry groups rienne retailers and
consumer groups to get an understanding of the types of IOT products that are
currently being sold and to gain insight into IOT products heading to market the
American Bar Association and other leading legal groups are providing
thought leadership on emerging IOT legal issues and additionally ul the
cybersecurity and consumer reports consumers Union and
other consumer advocacy groups are also looking at ways to assess IOT products
the second bucket really involves collaboration and here I’m talking about
collaboration interagency and collaboration with industry partners IOT
products by their very nature involves cybersecurity privacy and safety issues
involving multiple federal regulatory agencies including the National
Institute for Standards and Technology and the Federal Trade Commission the
CBSE can best protect the safety of US consumers by was staying within its
statutory authority and working collaboratively with its federal agency
partners to develop a comprehensive risk-based approach to safety evaluation
and oversight of IOT products additionally the underlying statutory
authority for this agency the Consumer Product Safety Act provides a framework
for the agency to collaborate with industry on IOT product safety issues as
contemplated by the Act the vast majority of consumer products are
subject to voluntary industry safety standards not mandatory government
standards voluntary industry standards have consistently proven to be an
effective means of protecting consumers they’re the result of collaborative
consensus of all interested stakeholders including the CPSC voluntary standards
can be tailored to reflect the unique safety risks of individual products and
product categories and easily updated to reflect new technology changes or
products Rilla members encourage the CPSC to
continue its efforts to work with industry to develop strong risk-based
voluntary industry safety standards for IOT products and the last bucket here is
engagement by engaging with manufacturers and retailers the CPSC can
insist assist manufacturers to design and produce safe IOT products and enable
retailers to choose safe products to offer for for sale for its consumers
once the CPSC has developed in-depth knowledge and expertise on IOT
technology and safety risks the agency could issue guidance similar to guidance
that Nitsa has issued for smart vehicles and the fda recently issued for smart
technology more smart medical devices these guidelines provide manufacturers
principles to follow when developing products by developing IOT safety
guidelines rather than issuing mandatory standards or requiring pre market
certification the CPSC can best protect consumers while encouraging not stifling
innovation let me close by restating the support of Rila members for the mission
of the CPSC and its effort to ensure the safety of all products including IOT
products sold to US consumers we look forward to continued collaboration with
the Commission thank you for the opportunity to speak at this this
morning and I’m happy to answer any questions during the question and answer
period of the panel thank you very much thank you to all of our panelists for
their thoughtful presentations we will now begin our furtive questions by the
Commission and I will begin those questions ms moines tri-band ms McGuigan
you both talk about collaboration with other government agencies which i think
is very important because it on many levels it will inform us as to who is
doing what so there is an overlap and waste but on the other hand to make sure
that all of the potential issues are covered and so I’d like to ask both of
you if you know have these have any of these discussions begun with FTC you’ve
talked about NIST or Nitsa and there haven’t are you aware of I’ll ask both
of you this question are you aware of any of these groups that exist or would
we take the first step to begin to start one there is a current there is
currently an interagency working group which I believe your staff is
participating and it is at a technical level it involves NIST
FTC Nitsa and others that are that are currently participating in that process
I don’t have visibility into the discussions during the process so I
don’t know exactly what the scope of that is I think it would be useful to
share that with industry and this stakeholder group Thank You mrs. winter
I am not aware of any additional information about that but I would urge
for that committee to become sort of to maintain its technical focus but to
broaden it to have responsibility to communicate with Congress and others and
perhaps there are clearer deadlines I really don’t know but I think having
clear deadlines and clear clear goals for reporting and having specific goals
such as you know really documenting what’s being
done by each agency what authority there is whether there are gaps whether there
are needs for more resources more expertise etc I think that would be
incredibly helpful for this group if they’re not already doing that thank you
I think and I agree with that I think that there has to be a policy group who
determines who’s doing what what’s being done what needs to be done and then
beyond that the technical level and what staff does day in and day out so I think
defining the scope of this potential problem and issue and the benefits I
mean there’s benefits and there are potential issues with this and so thus
our hearing today I wanted to ask mr. coca mr. Schwartz mentioned about
certification and the the issue of really considering at product by product
rather than as a group and in your testimony I think you alluded to that do
you agree with that that that when you’re dealing with these with the
Internet of Things it can’t be one standard it’s got to be more specific to
a product this is not really a question that we have discussed but I’ll give my
personal opinion here based on the research that I’ve done in this area
I do agree with the fact that there are so many different devices at stake and
some of them are really dealing with sensitive data I’m thinking of medical
devices for example or you know devices that are used to protect children child
care equipment and so perhaps for specific product categories we could
think of certain certification and conformity assessment processes that
would be really adapted to the characteristics of these products but
again this is not an issue that has been discussed in our group so personally
thank you Thank You mr. Schwartz you mentioned NIST’s framework can you talk
to us a little bit how you think that are with regards to consumer products
how that could be applied to or related to or is there no connection so in this
framework is really built to be a tied to risk management it’s not about it’s
not itself a standard it is bringing together all the different standards in
this space so it has it I tend to think of it as what Audry
Bongo who is the CEO of MasterCard called it the the way that he thought
called it which is the rosetta stone for cybersecurity so before that I mean the
way that most cybersecurity standards come about is we have a problem and we
come up with a solution for that problem and then we move to the next problem and
we come up with a solution for that problem rather than start trying to
group them together which seems to happen afterwards and what the what the
framework did was to put them into categories and then tie existing
standards to those categories and there’s five main areas in it and and I
think that it works across the board it’s at a high level though right and
then you build profiles down underneath that those those profiles have been done
the way they’ve been built since the framework came around four years ago is
to be done by industry by industry and what we’re trying to do and one of the
things that we’re doing in this space is to try and do it by the
threat as well so then you can have the industry and the threat that you’re
looking at and narrow down specifically to say if we want to prioritize to stop
this threat related to a specific area product we can take our industry and we
can take the threat and prioritize the areas that work where we see overlap and
both of those and highlight those particular standards so I think what
NIST has been encouraging us to do that and they’ve been working with us we held
the first workshop on our DDoS and by that mitigation profiles that with the
cyber threat Alliance and the Center for Democracy and Technology working with us
to do that and we have but it could turn out and then this came to that and what
was optimistic about it we’re still waiting for the their reports to be
published that they send to the president on Friday I was hoping that it
would be published the day that it actually went to the president but we’re
still waiting for that to come out we hope that that will encourage more work
in this space specifically I mean that’s about botnets which is one area of
threats related to IOT so it but but that demonstrates how the NIST framework
can be used kind of very specifically and then more broadly just as
manufacturers develop more new products looking at the framework using it to
figure out their risk in this space but it’s not something you can certify to
it’s a process to look at risk the standards underneath that are what you
certified to and then as you dig down the profile you could build
certification voluntary certification around specifics that come out of that
thank you very much commissioner thank you madam chair and again thank you for
organizing the hearing I still remember when I went running down to your office
and said I have this brilliant idea what we need is a hearing on the Internet of
Things and she looked at me and she said yeah we’ve organized sit and we’ve
already planned it and I think you’d even schedule the day so as usual I was
a little too late to the game but I wanted to ask a broader question of the
entire panel because this is one of those things that I lie awake at night
thinking about and that is have we reached an inflection point with respect
to the Internet of Things when I first came to the Commission nine
years ago I was absolutely certain that the big issue for the next decade was
going to be nanotechnology nano hazards and fortunately today I haven’t really
seen that we’ve seen some minor safety issues but is not really exploded as I
feared and so I guess my question is MS weintraub you said eight point four
billion devices that are connected today probably double by 2020 have we reached
a point where it’s a new world and that we really need to take dramatic steps in
other words are we at CodeRed or are we at code yellow with respect to risks
associated with the Internet of Things and mr. Schwartz may have start with you
if you have a comment about things I mean we’re still I’d still say we’re a
code yellow I do foresee a world where they you could get the code red so I
wanted to say that’s not a possibility I think that there are major threats that
are looming and we have to take steps quickly to make sure that that happens
in it again I think doing it in a way that fits with the way that the industry
is growing and building security into the way that the industry is growing I
think can help with the safety concerns if but if we don’t do that then your
we’re gonna end up in this situation where you where we where we do end up
with major threats and lives at stake is it coca as I mentioned in my
presentation the market is growing in many osed countries but it’s still not
as growing as fast as one could have thought would have thought and all the
predictions that we have heard which we have in our reports as well we will see
whether they realize or not we have seen that actually the market has not grown
as fast as it as it has either it had good because of many problems including
a lack of interoperability of products that are being put on the market which
makes it a fragmented market and therefore consumers are not rushing to
adopt that market as as we would have thought and I do
think though that even if this is a nascent market we should our
organizations agencies they called a civil society industry should really
really think about considering whether the frameworks that are in place in
countries are fit for purpose adapted to these new products and emerging risks
they are reaching consumers now consumers start adopting these products
and therefore there should be consumer protection and safety ensured by design
if I may say as the market continues to grow is we’re in trouble
I think we are at a time that we know that problems can occur and we don’t
want to see concrete fires deaths and injury but we know that you know a stove
could catch on fire we don’t want to see that those fires burning down homes we
don’t want to see children getting injured as a result of Bluetooth
technology and getting hacked into a baby monitor or a doll or a children’s
SmartWatch so I think while we know these things can occur in terms of their
being either products that are have become inoperable like alarms that
aren’t working as they should we know these problems can occur we have
not seen a lot or maybe it’s just not publicly available but we’ve not seen a
lot of incidents that have led to harm but I think this is the opportune moment
to take action so we don’t see that because I think collectively as a whole
every single stakeholder involved in this effort does not want to see those
fires or injuries or deaths thank you Miss McGuigan you know I think in this
area will be driven by consumers and what consumers want and consumers
essentially vote with their pocketbook right now IOT products are potentially
more expensive than on IOT products there is an issue of Wi-Fi connectivity
depending on where you live and how and reliability of that so
I don’t see IOT technology just being added for the sake of adding IOT
technology I I see IOT at least in the products that we’ve seen IOT technology
being added to provide some kind of consumer benefit some kind of
convenience factor or some kind of connectivity all of the issues that the
other panelists have raised are are absolutely there you know the challenges
of interconnectivity of IOT products and those challenges but we have long held
that the CPSC has an important voice at this table and have long urged the CPSC
to get engaged and to be part of that conversation we do think that you have
the opportunity to partner with your federal agency partners to develop
comprehensive risk-based approach to this area so yes we do think that the
CPSC should take action and if I might we’ll stay with you for an additional
second one of the points that you one of the suggestions you made was to consider
the issuance of guidelines by government agencies setting aside whether those are
reviewable under the congressional review act but I do think that that’s a
good approach because what we’re stuck with is working with consensus voluntary
standards where that’s possible but one of the things that does concern me and
mr. Schwartz I want to ask you the same question is it seems to me there are so
many entrants into the field especially small manufacturers that may not have a
real good technical grasp and my question is what’s the likelihood that a
whole multitude of these small manufacturers are even going to know
about the existence of voluntary standards let alone comply with them so
if you were sitting in our shoes what would be the best course of action that
you would advise I would engagement in outreach there is a whole ecosystem of
startups and startup communities that are out there our members we have an R
Tech initiative that we our connecting our members with these
kinds of communities of individuals and entities that are creating new products
new services we’re happy to try to facilitate that kind of conversation but
you are correct when you have a brand new startup and they are have a
brilliant idea they may not understand all of the federal agencies that are
involved in the process and how to bring that they’re just concerned with
bringing a product to market so sports one of the if I might yeah
this is partly that same question but a little bit of a variation when I read
your testimony I saw that you didn’t like the idea of a certification
standard that would eliminate quote low risk products that are designed to be
inexpensive which to me is the easy one the tough one is high risk products that
are designed to be inexpensive and that’s the one that I think gives all of
us nightmares and that just carrying on with lots of new entrants in the market
do you really think that consensus standards will provide all of the
answers to making sure these products are safe well as I said I think that I
mean we’re not quite there yet in in figuring out what how to do even
specific areas of the you know true looking at this and from a standards
point of view so I think we’re moving in that direction I think that we need to
move more quickly than we have been absolutely and and the time will come
when we’re ready to have that discussion as to whether it’s should be voluntary
or mandatory but you know to start with I think we’re not there yet and at that
point we should be encouraging voluntary standards and there’s a lot of reasons
for that and you know the cost cost being one of them one thing I did want
to say you know I you know we’ve been talking about this and from a negative
point of view but I think that there are positives of IOT from a product safety
as well I mean the big the big one being patch ability in the field mr. mr.
Weintraub mentioned you know that’s something that something to look at in
the space and sir and I’m sorry to interrupt but I’m about to run out of
time I didn’t want to ask a specific question
about that the idea of a remote fix is a great benefit when it comes to connected
devices and so speaking from the perspective of a government agency if
somebody does a remote fix of something that they discover is a very serious
defect do you think there should be an obligation to notify the government and
notify consumers that this severe risk has been fixed or should that just
happen without people knowing about it well I mean I think we have standards
for doing that for computing software today right and I think that those have
been well established we’re moving forward in that in that direction NTIA
actually had a stakeholder group meet on this and come up with some very good
recommendations I think it’s a starting point to put out there in a in the kind
of strong voluntary guidance that you know you’re talking about for that came
out from nitsa and from FDA that other regulators like CBS he could pick up and
and that that could be one of the areas you have so we have some work that’s
already been done in that way and I’m going to encourage you to look at that
thank you so much Commissioner Robinson thank you I want
to thank all of you for your thoughtful presentations and I particularly want to
thank the organizations represented by Kathleen McGuigan and Russia khoka
because I think that the OECD paper that was just so superb on consumer product
safety in the Internet of Things and also MS McGuigan the presentations that
you came in and gave each of the commissioners offices with respect to
your our tech initiative I think both of those were very instrumental in putting
together this hearing which is terrific and I thank you I confess it for much of
my time as a commissioner I was focused more on Internet of Things as a way of
getting data and of a way of getting information to consumers about you know
making it making it more consumer friendly in terms of product recalls and
so forth and had not focused on the issues that were focused on today
primarily because and I don’t think I’m alone in this I sort of thought well our
jurisdictions products and we’re not about privacy and we’re not regulating
hackers and so forth and so I didn’t really think that we had had
jurisdiction but recently I’ve really come around on that and I really think
it’s critically important as each of you has presented today that we have an
interagency and an international effort toward addressing these these important
issues I look at at Europe today in terms of protecting consumers privacy
compared to this country where we’re just learning how easily all of our
private information is being used to make a few people a lot of money and I
think we have much to teach each other so I think we’re at the point now where
we’re looking for the questions because I certainly don’t have any answers but
as as Picasso said what good are computers they only have answers we we
really need to address how we find the questions so I’m the most tangible thing
that I can get a hold of in terms of presentations mrs. Weintraub came from
you in terms of the f9 63 and we’re going to have some testimony today that
says that the internet of thing issues are Internet of Things issues are
already addressed by F 963 do you agree with that and if not you mentioned it
briefly in your presentation but what what approach should we be taking in
terms of updating that if you don’t think that’s addressed um so this is an
interesting question because I think f9 63 is an effective standard that dresses
a very very broad array of hazards posed by toys my assessment is that the
standard though does not address the type of hazard posed by a doll that cat
could be hacked into through Bluetooth or some other technology you know that
whole issue my interpretation is that f 960 f 963 does not address that
particular issue whether it’s a software hardware design issue so I think that f
963 could address those issues and I think toy manufacturers definitely need
to being gay in looking broadly at their connected
products a potential risk to consumers and address them in a serious manner so
what would you suggest that CPSC do in terms of getting those issues addressed
by F 963 um what could do a number of things it
could have convenings bringing together those key folks from the toy Association
those participants in F 1963 sharing information about potential problems
having dialogues about potential solutions and really encouraging
different aspects of the standard to address these types of issues okay
mizuki again in response to acting chair Burkle’s questions you said that there
is an interagency group that has NIST FTC and nitsa are there other agencies
that any of the four of you think and I’m gonna come to the International a
moment was a coke I promise you but in terms of this country are there other
agencies that you think of that should be involved in an interagency effort well I think my understanding of the
interagency group and again I don’t have a lot of visibility into it but my
understanding is that it’s at a technical level and I do agree with
chairman Buerkle that I do think that there is a role for an interagency
convening at least to understand at a higher policy level as to jurisdiction
boundaries of various organizations and how you can work more collaboratively
together on policy issues any other any other agencies you think should be
involved at the theme it seems to me that we’re pretty much covering it with
NIST FTA CPSC and FDA FDA right ad FDA for connected medical device yeah
exactly so music oka the OECD’s in a very unique
position and your unique witness in this in this hearing today in that you bring
so many of your member nations views before us but how would you suggest that
we try to try to go at at least finding the questions the answers come later but
that we should be addressing on a more international level because we’re
especially with Internet of Things it’s just so connected all over the world
thank you for your question that I actually would like to go back try to
answer your question to some of the points that were made earlier
encouraging for example this year PC PSC to develop guidance in this area just
like to note that other countries are also or have already developed some
guidance for example on how to ensure cyber digital security of IOT products
and it would be good you know we are here at the working osed working party
to serve as a platform for all the agencies again from OECD countries and
non-members to join forces and discuss identify the issues and try to find some
potential solutions so we are here to serve as a platform for discussing all
these issues including for example taking stock of stock of what is out
there who is developing what and from which perspective and what solutions
have already been identified just mentioned the UK I know that the u.s.
FTC has also developed some some work in this area making public comments on
digital security for the protection of consumers including a product product
safety in the IOT space I mentioned the UK you mentioned the
European Union the European Commission has done a lot of work in this area and
I did say that we will organize an international conference with the EU in
November to discuss all these issues so we do hope that the US CPSC will
contribute to contribute to all these discussions I also mentioned in my
presentation that the IOT should not be looked at in isolation if I may say as a
technology and that other technologies are now inter playing with the IOT I’m
thinking of AI once again and just to note that the OECD
is about to create an international a global observer observatory on
artificial intelligence and we will in that context address related Internet of
Things issues including product safety issues and we would hope that your
agency and other agencies working on product safety issues will join the
conversation and help us identify the right issues I see rich O’Brien back
there so hopefully listening to this mr. Schwartz
I just honor I know that my questions are so general today but the but in
terms of the kind of standard that you have in mind you have in mind a
performance standard or best practices standard I know you like others are
advocating a voluntary standard but what what would you think it would look like
I know I’m actually suggesting a number of standards on this space and that
that’s part of what I’m getting at in terms of what this marketplace is just
too large to kind of cabinet right single I didn’t think so I think you
need both right I think I mean we have you certainly have the performance
standards that I was talking about related to what the the descript device
descriptions that would be sent and then how people would take those in you’d
probably need another standard for the for how those technical standard for all
those are taken in but then there’s sort of best practice standards as well for
what you do to prevent different things from taking place in enterprises etc
okay so obviously this isn’t going to be the I mean the interagency group would
have one function I suppose but what’s the body that you envision or bodies
what types of bodies do you envision coming up with these performance in
these breakfast Vespa well so internet Engineering Task Force is working on
some of these already again are they working on standards yes okay no that’s
specific standards okay yeah those are technical standards obviously
performance or best practices are those are performance standards yeah so what
are their bodies in terms of the best practice standards I mean NIST is
developing things in this space now and they’re working with some other
organizations to do that again my group is focusing in a very specific area in
this space to pull together a lot of the different standards build a profile
under the NIST framework that pulls together all the different standards in
this space I know that some work has been done in ISO and these this is well
where the where we’ve where some of the industry groups have pulled together UL
who speaking later today I’ll let them go into more detail on it has brought
several of the standards to ISO in this space that would be another place where
you would see best practice thank you so much I’m out of time sure commissioner
kay thank you madam chair and thank you as well for having this hearing it’s a
good step for us to be taking I miss Weintraub I wanted to commend you for
the suggestions for some concrete action and deliverables by the agency as well
as some of our partners I very much support that I hope that we will take
that up and really move forward on that as you envision that unfolding if we’re
able to do it what kind of expertise from the CPSC side do you think would be
necessary to be at the table interesting question um I would think the those
involved need to be very aware of CPSC’s Authority what was is in within their
jurisdiction what they can do already I think they would also need to be aware
of a lot of the technical aspect so policy as well as the technical aspects
of the interaction between IOT and consumer products understanding hardware
software how these things interact and I think also being able to be strategic
working within a group for you know a broad collective purpose and also being
very goal-driven because I think these types of organized efforts work the best
when there are very concrete results and concrete products that are created to
move these things forward great thank you for that
and mr. coca you mentioned during your testimony or maybe during one of the
answers to the questions that you looked at the staff
report from January of 17 the CPSC staff report as part of your research or the
research that was done from your perspective what was your assessment of
our technical capabilities as best as you can tell from the output that the
staff produced I thought that was one of the agencies that had actually done
already a lot of work compared in this area compared to other countries I
should say that I mean the u.s. is one of the biggest markets among OECD
countries in this area but your agency has already a lot of work a lot of
research in this area and compared to other countries other countries are
struggling actually trying to understand what is at stake what we are talking
about what technology is being used what business models are are offered to
consumers and many indicated to us that they don’t have the expertise yet which
you do have already to to try and answer all these – all these questions and they
really want would like to have the the OECD working party and perhaps other
OECD but bodies working together to come together try to share expertise in this
area as the market continues to grow to be able to come up with potential policy
solutions but many countries told us that for the moment they are not in a
position yet to come up with policy responses because they are still trying
to understand what the market is about for consumers and what problems might
emerge that we haven’t even identified yet and that makes sense and so thank
you for that did you were there any areas when you looked at the report and
as you conducted other researchers the group conducted other research where you
would suggest that the CPSC invest in more from a staffing perspective there
was one question that I had when I looked at the potential hazards that
some categories of products may raise for consumers and I was a little bit I
was traveling a bit when I read the part on wearables
and the dangers that they may present to consumers I was just wondering to what
degree to what extent these are actually raising unique iut questions or you know
product safety questions that may also affect other category categories of
products that are not connected products so I was a little bit struggling here
trying to really see whether these are really the categories of products that
should deserve unique IOT policy responses but I overall I thought that
this report was excellent it really inspired the OECD report and I do think
that perhaps there might be some further research to be done on the potential
risks and injuries that that consumers may may face in in this new space but
again we need this is about sharing information among different countries
just to give you an example we have some countries like Korea and Japan which are
very much advanced in terms of market growth but are still not as much as
advanced as as the u.s. PC in terms of trying to understand the market and the
technology and are very supportive of this project and are asking us to
continue but again this is about sharing information together at the
international level and with other bodies and committees at the OECD that’s
great to hear again thank you one of the charges to the staff back in I guess it
would have been toward the end of 16 or maybe the summer 16 when they started to
work on the report speaks to what you said earlier about other technologies
that need to be considered at the same time AI and other issues and I think
that’s where wearables came from the direction that I had given to the staff
was think as broadly as possible you come up with where you think these are
emerging issues and I was very pleased by what they produced and I think that
we need to all be mindful of that as we go forward that there are other
technologies out there as you mentioned so I appreciate that comment and I hope
that that’s part of the discussion as we move forward with our partners and
international partners as well mr. Schwartz I wanted to have a better
understanding from you if I could about the
standards development I clearly I get that a toaster is different than a doll
which is different than a portable generator etc but how different are the
systems of connectivity meaning when somebody is going to return what is a
non-smart product into a smart product are there 15,000 different options like
there are making of a consumer product or are there sort of core systems that
are very much the same in how you go about doing that well as mr. Koch said
uh there you know one of the issues that we have is that interoperability hasn’t
totally solidified yet for IOT so right now you’re talking about things
connecting through different kinds of channels right they’re coming through
they’re connecting through different pathways there are certain similarities
but it has not all worked out yet and that may be the case for certain
industries may end up with different types of connectivity and it is sort of
like chargers so you’ve got you know an apple device has one kind of charger and
a blackberry had a different charger but ultimately the electrical components and
the electrical theory behind it is all the electrical engineering is all the
same they just have different components is it like that where there’s different
ways it’s a little bit it’s a little bit different than that in that you know you
have a local connectivity right where you can connect wirelessly through yeah
and then you have the broader network connectivity where you’re connecting
through different you could actually go through different ports to have
connection there where so and those different ports mean different things in
the technical in the technical space right so different types of things
connect through different channels and I think that so that all kind of plays
into you know what we’re talking about it as though it’s one total ecosystem
but it’s really from a technical point of view several different in their
ecosystems that we’re patching together in different ways right and that part
that’s where that’s where I’m sort of I say right now if you were to say we need
to build one standard for this it’s not gonna come together but if it over time
that might be the case right but if we’re talking about building it in
the better way is as we build these voluntary standards to do the connection
you build security and safety into those we’re gonna end up with a much better
system than we are if if we try and force everything to do the same security
I totally get that what I’m trying to understand is is the process so similar
that you could have a process either Guidance best practice standard where as
long as you check the following boxes from a process standpoint you are very
much likely to end up in a good place from a from a security safety whatever
you want to call it standpoint well I mean that when when attempts to do that
and when there have been attempts to do that in certain areas in the past in
security and for security standards they have failed and why because it ends up
being a check box kind of mentality of oh we have to do X Y & Z as opposed to
what where our biggest risks for this particular product right so and and the
the that there’s been a move and security away from kind of listing the
kind of criteria that you have that you absolutely need and one more towards a
risk-based one where you prioritize the risk for that particular type of product
but that still sounds like a performance standard where you it is but I guess I
feel like a process standard is a step back from that where you’re really just
talking about how you go about doing something and as long as you are
addressing certain core issues that would be relatively the same for any
about any which way you went about doing it you’d still like I said end up in a
better place yeah but I mean even even what we’ve seen from security process
standards right is it if if it if it ends up that there’s so much that we
have to do today to secure systems yeah right it still ends up becoming a very
long list and the priority is is based on doing everything into the minimum
degree as opposed to probably figuring out where the risk is and highlighting
that for that particular that helps area yeah okay thank you very much thank you
that completes the first round of questions by the Commission I want to
thank mr. Schwartz miz’ coca ms Weintraub mr. McGuigan for being here
today for your testimony as you can see we could
we go all day just with panel number one but I wish to thank you all for sharing
your expertise and your insights with us and at this point we will take a break
and switch to panel number two thank you very very much I apologize that’s a 10-minute break
just to give you some clarity we’d like to ask our second panel to be
seated please could we ask our second panel to be
seated please mr. Huberman mr. Norton I saw mr. Hebert earlier I’m sure he
will join us as soon as he comes back into the room welcome back we will now
resume with our second panel which includes miss Sheila Millar from the toy
Association miss Deborah prints from underwriters laboratory mr. rod Freeman
from coolie LLP Don Huber from Consumer Reports and mr. Travis Norton from the
International Federation of inspection agencies my sincere welcome to all of
you for being here again my sincere thanks for taking the time to share your
expertise and your thoughts with others Commission miss Millar would you please
begin your testimony thank you and good morning
my name is Sheila Millar I’m a partner with the law firm of Keller and Heckman
LLP and I’m representing the TOI Association Inc today on behalf of the
TOI Association I want to thank the Commission for holding this event and
seeking to learn more about the connected product environment it’s
certainly of high importance to the toy industry by way of background the toy
Association represents more than 1,100 businesses its members include toy
manufacturers importers and retailers as well as toy inventors designers and
testing labs all involved in bringing safe fun and educational toys and games
for children to market the u.s. toy industry contributes an annual positive
economic impact of one hundred nine point two billion dollars to the US
economy but most importantly since the 1930s the toy and the toy Association
has been a leader in the development of toys safety standards toy safety is a
top priority for toy industry members toy industry efforts to promote toy
product safety include leading the development of the first comprehensive
toy safety standard now as you all know ASTM f 963 is a mandatory consumer
product safety standard by virtue of the CPSIA
and our industry continues to provide technical input and leadership to the
ASTM committee toy associations staff and members actively participate in the
ongoing review of this living standard today to keep pace with innovation and
potential emerging issues the toy Association and its members work with
government officials consumer groups and industry leaders on ongoing programs to
ensure play as this brief history illustrates
protecting children and maintaining the trust of parents are the most vital
concerns for the toy industry and as more companies enter the connected toy
space the toy industry recognizes that we must continue to address any issues
that may arise from IOT technologies our members examine the physical safety of
the Internet connected products they sell by applying f 963 and they also
focus on developing internet connected toy experiences that protect the privacy
of consumers and safeguard their personal data we appreciate that the
Commission’s intent is to focus on its core mission of product safety not data
privacy and information security but as some of our panelists mentioned this
morning and as you begin to explore the role of safety standards in the context
of connected product safety it’s important to learn from and build on
experience in the privacy and security space the toy Association and its
members have unique experience with connected toys compared to other IOT
products for one simple reason children’s privacy and the security of
their data is extensively regulated by the Federal Trade Commission under the
Children’s Online Privacy Protection Act connected toys that involve collecting
information from children or subject to Coppa and so I think it’s worth spending
a couple of minutes to discuss how approaches to privacy and information
security can inform on and build on initiatives related to product safety
and the principles that the toy industry members bring in their development of
connected toys toy sociation members respect the privacy rights of all
consumers and strive to embed privacy and security safeguards for personal
data into all stages of the Internet connected product development and
marketing lifecycle Fair Information practice principles like transparency
security data minimization and privacy by design and default are central values
for toy companies handling consumer personal data especially when that
consumer is a child reflecting these values as well as the requirements of
Coppa the toy Association is members support five guiding principles for
development of internet-connected toys first is safety by design
internet-connected toys must be developed with safety in mind and must
meet all applicable physical safety privacy and security requirements and
the second principle is privacy first privacy starts with the principle of
data minimization which is a central requirement of Coppa one well known to
toy industry members this means tailoring the collection use
and storage of personal data to only that which is needed to carry out a
legitimate business purpose the third related principle is safeguarding
security toy industry members are committed to safeguarding personal data
if any that is collected through internet connected toys and this
includes implementing reasonable administrative technical and physical
safeguards that are not only reasonable but also appropriate in light of the
personal data connected collected rather and the technologies used to deliver the
connected toy experience it also includes assessing and allocating
responsibilities of third-party vendors involved in the development delivery
and/or support of Internet connected toys that kind of due diligence can’t be
underestimated evaluating the security features of data collected and stored
via connected toys using third parties were appropriate and by the way when it
is appropriate the folks that are used are probably companies that you all have
never heard about because they are experts in security penetration testing
that’s done to confirm that the connected product is not vulnerable to
known exploits and that’s an important pre-launch step it is equally important
because things can go wrong to have a plan to respond to vulnerabilities
identified post launch including reported bugs or potential data breaches
because the data security threat landscape continually evolves the fourth
principle is transparency the toy industry supports providing clear
information on our privacy practices for connected toys we strive to provide
information about the capabilities of the connected toy including where
possible how and when an inner internet connection can be established and
schedules if any for updating software and firmware so
ciated with the connected toy and the final principle is empowering parents
and caregivers by operating on the principle of data minimization and
providing clear and understandable information we empower parents and
caregivers to understand the potential risks of the online world as well as the
opportunities that connected products and a particularly connected toys can
offer to support the type of experience they think is right for their own
children we notify parents and caregivers and seek an appropriate level
of parental consent when necessary in accordance with Coppa Sun poised or the
apps that power them may also provide mechanisms for parents and caregivers to
tailor their child’s digital activities as they choose with this background we
recommend that the Commission focus on circumstances were physical product
safety issues independent of the privacy and data security issues regulated under
Coppa may be presented at least where toys are concern due to the
comprehensive scope of product safety regulations governing toys and the
features of toys themselves we have undertaken an exercise but have not
identified potential physical product safety hazards that are not already
addressed by F 963 that could be uniquely presented by an
internet-connected toy in this regard toys are currently required to be tested
extensively to avoid some of the exact hazards mentioned in the Federal
Register notice like shock laceration fire and chemical exposure of course one
of the major safety features of CPSIA involves the presence of chemicals like
letter phthalates there is no scenario that we can think of under which a
connected toy that meets F 963 would somehow present a chemical hazard due to
some type of software or security failure in a connected toy similarly
because F 963 comprehensive comprehensively addresses hazards of
electrical toys like shock or overheating of batteries we likewise do
not believe that changes in the standard are necessary to deal with connected
toys for example F 9 63 currently requires the batteries must be tested so
that they do not overheat even when they remain plugged in for over three hundred
and thirty six hours this is just one example the ASTM F 963
standard outlines many other testing requirements that affect toys
thus the principle issues that toy companies focus on with connected toys
involves the exact issues that are covered by Coppa from that perspective
we’ve talked this morning about the many interagency task groups the NIST
standard there wasn’t a mention of NTIA the National Telecommunications and
Information Administration multi-stakeholder initiatives that also
cover a variety of things including connected products one thing those
initiatives do share is recognizing that a risk-based approach and a process
management approach is desirable one that builds on existing frameworks and
requirements to avoid duplication we think it’s important for the Commission
to prioritize then those connected products that due to their nature are
likely to pose the highest risks the toy Association and our members always
prioritizes the safety of children and is committed to doing so with connected
toys we appreciate the opportunity to appear today and look forward to the
remaining discussion today as well as our ongoing and continuing collaboration
with CPSC with other federal agencies and with other stakeholders to promote
safety of toys thank you thank you very much miss Prince good morning acting chairman Buerkle and
members of the Commission my name is Debra prince and I’m a standards program
manager for underwriters laboratories in this capacity I chair a number of UL
technical panels that develop consensus standards for products and systems with
the focus on emerging technology I am honored to have this opportunity to
speak with you today about potential safety issues and hazards associated
with internet connected consumer products ul is a science directed
organization that for over a century has worked to advance knowledge to address
important in emerging safety security and sustainability challenges ul has
built up a base of functional safety and security expertise
while working with connected devices from consumer electronics to smart
appliances providing a broad view of trends impacted impacting these
connected technologies this insight has allowed us to anticipate the technology
implementation and to establish IOT related standards and programs and
specific product categories by bringing the science of safety to the forefront
ul fulfills our mission of promoting safe living and working environments for
people everywhere ul strongly believes that establishing appropriate and
effective safety and software security requirements for IOT connected
technologies can best be accomplished through consensus informed by the
ability to access timely and comprehensive data varied subject matter
expertise and shared resources collaboration between the government and
private sector is critical here and we encourage the Commission to work not
just with the federal and state agencies that may be focusing on IOT but also
with voluntary consensus bodies we are best suited to who are best suited to
assess the safety and security of such devices ul seeks to work with the
Commission to gather and interpret that data as well as to create the resulting
response that the marketplace needs to continually offer safe innovative
products Internet of Things generally refers to a network of devices that
communicate with each other and enable functionality ranging from remote user
interaction to full autonomy IOT is already in the marketplace
examples include connected cameras and doorbells for security sensors and
controls for a remote adjustment of indoor environments and ambient lighting
as well as voice assistance for control convenience and entertainment these may
be operated as part of a proprietary network or by software services in the
cloud what they all increasingly have in common is functionality that is
adaptable to the use environment and the potential to add new or different
functionality beyond what is and anticipated annemun factory
programmed a key challenge for the safety community is to anticipate and
manage the new and emerging risk associated with this innovation and help
smooth the way for its safe adoption you all believes that the Commission has
accurately characterized the product safety challenges of IOT products and as
asking some of the important questions for today’s hearing one additional
consideration that we would propose to the Commission pertains to the
opportunity for IOT devices to improve safety outcomes rather than focus only
on risk we should also consider the potential of smart devices in some cases
to alert users to changing conditions that could become hazardous might an
interconnected smart device be capable of taking direct action to prevent the
hazard or manifesting as we work to prevent emergent hazards associated with
the development deployment and use of IOT products we must also recognize new
opportunities to improve safety outcomes that smart devices create enhanced
safety outcomes in the connected world will be realized through the application
of safety science collaborative research and consensus standards development with
the proliferation of IOT connected devices the commission UL and safety
organizations in the US and worldwide will encounter new challenges in
managing risk complicated by the need to balance safety and software security
with other desired attributes such as interoperability and privacy all why not
stifling innovation it is important to remember though that while this
particular challenges is new we have faced and successfully addressed similar
challenges as technology has changed consumer product safety standards
examine and seek to mitigate the safety risk inherent in the intended function
take a washing machine for example safety standards address safety risk
related to the functionality of the spinning washer drum as well as ensure
sufficient electrical insulation is used to limit the likelihood of the
machine itself posing their hazard if you have a connected washing machine
existing assumptions must be challenged with the respect to the functionality
and hazards can a spin cycle speed be reprogrammed with lack of software
security control be considered a hazard in itself that the standard should
address these types of considerations our starting point for addressing the
safety of IOT voluntary appliance standards consensus bodies are taking
strides to address some of these concerns for example they have
considered that embedded functions that are possible and not just those of the
initial factory configuration may be altered by an IOT connection where that
can lead to a safety consequence the hardware and software must reliably
minimize that risk the ability to locally override a remote setting or
control is also important youõll standards address the functional safety
of a consumer product in the context of the expected use as well as the
foreseeable uses enabled by IOT technology remote operation delayed
starting timed operation and the like have long been a part of the appliance
landscape while these aspects have been appropriately addressed the connected
technology potential expands these operating modes were not previously seen
what constitutes a potentially foreseeable use is likely to evolve with
the technology an interesting example of this internet connected
electric iron an attendant appliance it was unlikely candidate for the IOT
connected technology however it was one of the earliest appliances to be
connected the age-old worry did I shut off my iron now can be resolved from a
remote location it is important that a contemplated requirements or standards
revalidate the underlying assumptions for a product and question when
employing IOT connected technology to the greatest extent practical any
resulting requirement should consider the individual and use application to
fully appreciate these some shion’s the commission should also
consider the inherent hazard posed by IOT connected devices being connected
means a wired or wireless communication device is included in the consumer
product it is likely that the electromagnetic environment of that
product is different when a radio is embedded the immunity of sensitive
electronics from the consequences of radio operation must be ensured this is
particularly important for safety devices transient signals can adversely
affect both the hardware and the software a programmable electronics
another consideration is protection against cybersecurity threats this is an
area of active safety standards work it is highly desirable to enable the
upgrading of a product after it is in the field however the act of updating
software can be a source of risk when there is an unsecure connection to a
public network media reports of hacking incidents demonstrate that insecure
technology products are discoverable there may be motivation to alter the
products such that its safety is no longer assured this would be a concern
of high-risk products such as indoor space heaters in conclusion you all
works to facilitate the development of comprehensive stakeholder-driven IOT
specific requirements that will bring consistency and predictability to the
Internet connected consumer product safety performance and will contribute
to the continued growth in the deployment of connected products systems
therefore ul supports the Commission’s effort to explore IOT and emerging
technologies and commend you for holding this initial public stakeholder meeting
on IOT safety issues as the Commission considers how it will tackle safety
challenges and promote the realization of potential safety improvements arising
from IOT and other innovative technologies ul remains committed to
working with the Commission and safety minded stakeholders to continue
advancing solutions to further improve the safety of Internet connected
consumer products thank you very much this
to Freeman good morning acting chairman Buerkle commissioners by way of
background I’m a partner in the London office of the law firm Cooley where I
specialized in international product safety law I’ve been involved in this
field for more than 20 years during which time my practice has shadowed the
development of product safety laws and regulations in Europe in more recent
years increasingly around the world and increasingly my own work has become
focused on issues arising internationally from new and innovative
technologies now this includes connected products and the Internet of Things my
law firm Cooley has its roots in Silicon Valley and enjoys a reputation for being
a leading adviser to innovative tech focused companies with our clients
ranging from the established market leaders in this space to start up some
high-growth innovative companies I also serve on the board of directors of the
International Consumer Products Health and Safety organization it for so we’re
on the director responsible for the organization’s international programs
and I participate in the OECD working party on Product Safety which you’ve
already heard much about I was in fact the primary author of the recently
published OECD report on product safety in the internet of things to which mr.
cocoa referred and I enjoyed collaborating with mr. Coker in
preparing that it’s that background that I’m happy to be here to share my
international perspective on the important issues that are being explored
by the CPSC here today and the world is at a juncture I believe despite fading
productivity growth in recent news around the world new digital consumer
markets have emerged globally driven by the development and the diffusion of a
range of innovative and evolving technology driven products and
production processes connected products in the Internet of Things enhance the
lives of people around the world that’s already doing that
the Internet of Things makes people more productive it helps them manage their
time manage their health it makes products more efficient and more
reliable and these technologies as well third are also helping to make the world
a safer place and have the potential to do that in tight communities around the
world increasingly will benefit from these technologies and indeed some of
the more exciting possibilities arise from the ways in which they can be real
benefits to more disadvantaged communities around the world and more
the more vulnerable people within our societies and it follows that the
regulators and policy makers all around the world are actively considering the
question of what are the appropriate policy responses to the emergence of
these technologies there are tremendous benefits and we all know there are
potential risks risks that are new and risks that are potentially more complex
and challenging than those we’ve had to deal with in the past policymakers
around the world recognized the need to support good innovation in this area and
avoid stifling innovation whilst at the same time appropriately addressing the
challenges that might accompany the technology all legitimate stakeholders
have a share in getting this right consumers want access to new
technologies that will that they will enjoy and that will enhance their lives
but they want and they need to feel safe likewise companies investing in this
technology for the long term want consumers and need consumers to feel
secure and confident in the markets for their products and they want a level in
a stable and a predictable playing field in markets all around the world we all
have a shared stake and a common and significant common interest in getting
this ride within Europe these issues have been under consideration for some
years the European Commission just last month published an important working
document titled liability for emerging digital technologies and in that working
document it recognized that a clear and stable legal framework will stimulate
investment and in combination with research and innovation will help bring
the benefits of these technologies to every business and citizen it recognized
that this framework must must include a reflection on future needs and
developments from the perspective of both the consumer and of the innovators
the working document also emphasized the importance of the complementary legal
frameworks of product safety and product liability laws which in Europe will
label the two pillars of the internal market and also makes the important
point that trust and uptake of these technologies will depend on whether they
are perceived to be safe just last week the European Commission also published
its latest five yearly review of the product liability directive in Europe
with a particular focus on whether that directive is fit for purpose in light of
these new technologies in the of things in Europe is not alone the
advanced economies around the world without exception recognize the
importance of supporting innovation in these technologies and the government’s
are starting to grapple with the challenges of how to support and deliver
the benefits and to manage the challenges we heard during the last
panel from mr. Coker about how these issues are being under active
consideration with the OECD and in particular through the working party on
product safety this work is just the start of what will surely be an ongoing
process of that evaluation and consideration of the safety issues at an
OECD level and from that it should be expected that the member states the
member countries of the OECD will take away important learnings and important
shared learnings that will guide the national responses to the issues around
the world one of the unique features of the Internet of Things is that the
technology does not respect national borders indeed it’s one of the reasons
the technology is so powerful and can bring so many benefits it’s because of
the way the technology brings the world together
products can be connected around the world they can be driven and controlled
by systems that are continents away and the data that helps drive the devices to
make them operate efficiently and safely and get better over time is data that
can be and is sourced internationally and that’s an inherent feature of this
technology alongside the benefits that will of course be new risks that can be
caused by the connectivity and by the way in which these products interact the
issue of hazard ization is an important one and one that warrants careful
attention and a focused approach in this area but I believe there are
opportunities to develop new and flexible methodologies and approaches to
risk in the context of new technologies that will help strike the right balance
and will be fit for the future as technology continues to advance but it’s
in it’s in nobody’s interest of policymakers legislators regulators in
countries around the world to develop regimes that have the effect of
constructing artificial ad hoc national barriers to technology we need to avoid
that such barriers create avoidable unwanted and unnecessary inefficiencies
at least as much as any other this is an area that calls for international
cooperation if we can achieve as much as possible a consistent and a coherent
approach to managing safety and regulatory
shoes that arise with this technology that communities all around the world
will share the benefits so I believe this calls the two things on the
international stage he calls for cooperation and it also calls for
leadership history has shown us that achieving in true international
cooperation and true consistency when dealing with product standards and the
management of product safety is not easy there are many challenges but there are
opportunities and there are structures around the world that support that the
work of the OECD is critical in this regard and another CPSC is actively
involved in the work that goes on within that organization the discussions also
that take place at a multi-stakeholder stakeholder level in organizations such
as expose it for so to make a critical and invaluable contribution here there’s
a lot going on at an industry level and within standards organizations to
develop appropriate international principles standards and codes to best
ensure safety and security of consumers and governments can actively support and
work to help those discussions move in the right direction there’s a
significant shared interest and a common goal here the work needs leadership in
the CPSC stands in an ideal place to be one of the leaders on the international
stage to help everyone get this right in addition to the experience the CPSC has
in dealing with complex safety considerations it oversees a huge
consumer market with a thriving activity for new technology and the u.s. is the
home of many of the most important innovators in this space and will
continue to be so so the US needs to help lead the world in finding the right
solutions moving forward that leadership needs to be focused on finding the right
solutions that are born out of a spirit of international cooperation and a
sufficiently flexible to be suitable for the challenges of the future failing to
achieve that will mean that we have in efficiencies lost opportunities and
ultimately I believe solutions that actually fail to deliver the protections
that consumers expect from their regulators I open this presentation by
stating that the world is at a junction the appropriate policy policy response
will be one that’s sufficiently flexible to meet the challenges of tomorrow
whatever form those challenges might take adaptable and readapt able
forward-looking to ensure the solutions are fit to deal with the world that the
new technological advances advances will bring overcoming use coming decades
a response which you can support good innovation whilst ensuring balanced
protections offered powerful to consumers recognizing the international
nature of these issues is what’s required
I bought the CPSC for taking the lead in this respect and hope that this will
contribute to fruitful discussions amongst international stakeholders in
years to come thank you thank you very much mr. Huber I think it’s probably
okay for me now to say good afternoon acting chairman Buerkle Commissioner
Robinson Commissioner Adler commissioner Kay on behalf of Consumer Reports I want
to thank you for the opportunity provide comments on CPSC’s efforts to assure
safety of the internet-of-things products and to minimize consumer
product hazards we appreciate the opportunity to share our views on
potential hazards associated with the the connected consumer products we
particularly welcome this chance to speak in light of the work see ours
research testing and insights team and our editorial content team have done
along with a group of partner organizations to develop the digital
standard which establishes a framework and a roadmap to begin to assess IOT
devices and evaluate privacy security data practices in NCR’s product reviews
this is still very much a work in progress however if you’re interested in
seeing it you can go to the digital standard org comments the foot in the
following comments we provide information addressing the questions
appearing in the Federal Register notice for the hearing which focus on
identifying and preventing hazards hazardous conditions designed into
connected products and addressing hazards created by the internet internet
connectivity Consumer Reports sees safety risks with
connected products that the CPSC should move to for
before move forward to address broadly we urge the CPSC other government
agencies and stakeholders to adopt a consumer first vision for for the
Internet of Things in designing and producing Internet connected consumer
products manufacturers are obligated to take responsibility for the product
safety through application of safety protective design product design and
development and product production processes these principles apply across
three broad categories of products that we have identified safety products or
products primarily designed to ensure the safety of consumers products that
could foreseeably cause death serious illness or severe personal injury
including those that present imminent hazards whose primary purpose is not
consumer safety but which could seriously harm consumers and thirdly all
other products whose primary purpose is not consumer safety and which cannot at
present foreseeably caused death serious illness or severe personal injury if
improperly designed or compromised hazards that can be created by connected
devices include fire burn shock tripping or falling laceration contusion and
chemical exposure and they can present themselves with whether the device is
connected to the Internet or not Consumer Reports urges the CPSC to not
limit thinking to only those hazards however the CPSC should also consider
other types of hazards such as for example medical hazards created through
hacks that affect implanted medical devices such as cardiac devices that are
intended to prevent heart attacks and whether there are similar situations
that could occur in CPSC regulated products with respect to reported
incidents involving connected products we searched safety product safety
products gov for IOT brand products to gain an understanding of consumer
reported incidents associated associated with the connected devices
we found that with some work the connected product incidents could be
identified in safer products gov but effort was required to determine whether
the IOT nature of a product was related to the negative incident we found 45
incidents over the time period to 20 2012 to 2018 for connected products but
the incidents appear to be attributable to electronic and/or power supplies
electronics and/or power supplies review of the incidents found appear to
indicate that damage or injury was not due to the IOT nature of those products
but rather to defects and the components also found in conventional products such
as sensors or power supplies our review also indicated however that there are
important data gaps including gaps in available death certificate
certifications emergency room data and self-reported consumer incidents data we
searched these data sets and found that there are currently no fields used to
capture the internet connectivity capability or connectivity status of
items and we had to search deeper to identify incidents using keywords and
IOT brands to identify connected products once connected products were
identified further analysis was required to ascertain whether the connected
nature of the product played a role in consumer injury and/or property damage
existing systems search capabilities should be enhanced to not only include a
field to identify a connected product but also identify whether internet
connectivity due to software or connectivity played a role in the arm to
consumers this was very crude this is a critical area to of improving the
available data to stos and stakeholders who are working on strengthening current
standards and developing new ones in this area CR strongly recommends that
the CPSC make it clear that the first thing they will look for when
investigating incidents involving connected devices is evidence that the
manufacturer complied with a voluntary standard for security and
safety of devices relevant standards include but are certainly not limited to
iso/iec I Tripoli 12207 systems and software engineering
software lifestyle processes the NASA software safety standard which can be
used as more of a guidance document as they’re very specific to NASA’s products
and ul 27:44 standard for safety of products and smart environments we
highly recommend that additional research be conducted to identify and
along with standards development organize and develop additional
voluntary standards including international standards while we
encourage the CPSC to actively participate in the in in the development
of voluntary standards we also encourage development of
mandatory standards were appropriate CPSC has separately RCR separately
recommends that the CPSC develop guidance for manufacturers regarding
best practices for assessing software and product design for assuring consumer
safety the guidance should include advice to manufacturers to include
features and safeguards to eliminate or adequately reduce the hazards that could
arise with could arise through no action by the consumer and also to a product
failure Meili may lead to harm to someone oh sorry
action by consumer to protect consumers from doing something harmful such as
unintentionally activating a product feature that may not that may lead to
harm to someone at home for example as a minimum manufacturer should design
certain products to force consumers to cognitively follow a series of steps to
operate a connected product remotely the guidance should also advise
manufacturers to design software and products to severely restrict or
completely disable remote operation of certain other products things like that
would be such as a range top to operate them remote
that is further the guidance document should include requirements regarding
the performance of multiple risk assessments throughout throughout the
product development and software development processes for the purpose of
identifying security reliability and safety risks for example if a if a pass
if a connected product has a factory set password the software should require
consumers to change the password in order to enable the application software
should include failsafe provisions when an internet connection is lost and to
assure software does not crash and unduly lock the consumers unduly lockout
consumers or create safety hazards also guidance should advise manufacturers to
certain to certify their products to existing software design standards such
as Common Criteria certification and evaluation assurance levels CR
recommends that C CPSC include in the guidance document the manufacturer
manufacturers that manufacture designs so that they so that the issues they
issue push notices as alerts to prompt consumers to update software to the
latest version CR encourages the CPSC to consider entering into joint agency
agreements to assure that efforts to are come are complementary and to work
across various product types and address issues that are common across the board
CPSC strongly urges the CR strongly urges the CPSC to be deeply engaged in
voluntary standards development activities especially with ul and ASTM
and other relevant standards development organizations in conclusion C our thanks
to CPSC for holding a public hearing on the safety of of connected
interconnected devices and for its important work to keep consumers safe
when using connected devices we look forward to continuing to work with the
CPSC to protect consumers from product hazards and Associated IOT products we
are available to assist the CPSC to provide input and assistance as
connected devices continue to proliferate they
you thank you very much mr. Huber mr. Norton good afternoon and thank you for
the opportunity to be here my name is Travis Norton I’m the director of
technical services for the Americas region at Bureau Veritas consumer
product services we are an active member of the International Federation of
inspection agencies also known as Aafia who I’m speaking for today I would like
to provide a brief overview of if he is view on the IOT safety and testing
inspection and certification industry’s focus as it relates to the role of third
party conformity assessment and some considerations for next steps in the
ongoing assessment of IOT consumer product safety there is a growing trend
in IOT companies to outsource to third party to lower their in-house compliant
costs as third parties have economies of scale and technical expertise can
leverage more cost-effectively when developing SARP software hardware and
IOT products our industry provides a wide range of conformity assessment
services that go beyond testing and include inspections certification
auditing advisory training across the entire stage the supply chain that could
be from design and development to post retail failure analysis complaint
investigations and so on conformity assessment tools such as safety
regulations and industry standards help manufacturers importers and distributors
of all sizes to achieve compliance with international requirements enable global
market access mitigate risks and ultimately protect their brands and the
reputation some standardization committees such as the IEC TC 61 for the
safe whole safety of household and electrical appliances is already
drafting requirements within their standards to address these connected
device at hazards and the nature of those connections being uniquely
different from devices that are not connected as we’ve heard in ASTM F 963
the hardware itself is so assessed for safety assessment that it seems like any
software changes to it would not so far we can’t conceive of any changes that
the standard requires and then there are new standards that are under development
like under D 13 for smart wearables where it’s really
just kind of getting started in terms of trying to define what types of issues
might there be with a lot of focus on power supplies and batteries which was
mentioned earlier however many of the hazards that are specific to these IOT
devices are not currently in scope for the existing safety regulations or
current industry standards from the Aafia perspective we recommend a couple
of approaches to be considered the first is a general set of requirements
perhaps the guidance document that was being referred to earlier that ensure
that an IOT device and it’s related connected controller is not able to
compromise the safety requirements that are already in place so if a product has
an existing safety standard use the connected device whether it be an app or
remote control a voice command to make sure that when you’re testing to the
existing safety standard that you’re not somehow creating in our laboratory
testing has shown that in some cases the connected device is able to override
mechanisms that normally would prevent such hazards from occurring essentially
this would add the IOT control system into the scope of the current safety
compliance assessment standards that are used today we believe that regulators
standards organizations business and consumer advocate organizations must
work collaboratively to develop the framework for such generic functional
safety requirements the second approach would be to identify the specific
requirements that apply to items and to then introduce those requirements into
those existing safety standards in particular this would mirror the
approach of the IEC TC 61 where they’re looking at household products and smart
home items and they’ve identified there are some unique issues and they want to
address those within their own technical committees but for each of these other
IOT sectors that are not currently undressing it there seems to be a need
to motivate them to provide guidance and to encourage them to look at the unique
hazards associated with their their own requirements in their industry standards
and to develop some kind of functional safety requirements a risk based
assessment you know for this particular item what are the top three or five
likely hazards and then how do we build in requirements into those standards to
address those during the design and development of IOT devices
manufacturers and their partners should be conducting safety assessments that
focus on the intended and foreseeable uses of the devices and their related
internet-connected control systems when updates to software are being rolled out
it should trigger a reassessment to make sure that that new code that’s been
introduced into the device does not somehow compromise the safety of the
product a review of that software release and the impact that it has prior
to release to market can highlight where potential injuries may occur and can be
used to update the design safety features software or consumer guidance
such as instructions and warnings updates to software should also include
safety assessments that include test cases where intentional disruption of
the update occurs this is one of the areas we’ve seen from a testing
perspective that midway through a software update you if you disrupt it
then it’s partially loaded and then sometimes you get these anomalies and
performance some of which can result in hazards for leading technical companies
that we work with we have seen a utilization of test cases that evaluate
the end-use conditions created by new software or changes in software with a
focus on hazard detection and disruption to performance similar to traditional
safety assessments the device is evaluated for the potential to create
hazardous conditions given a range of intended and foreseeable use cases after
it’s installed into a targeted device under controlled conditions development
methods for such companies include software integrity verification at each
stage as well as testing the end device to see what the impact would be for the
update to the software with respect to recalls there are additional
opportunities with IOT products IOT companies can push notifications into
devices that display alerts if it’s supported by the device it can establish
software updates that mitigate the hazard and disable the product as was
mentioned by her the OECD this morning CPSC participation and support of the
inclusion of some sort of connected device functional safety into the focus
of standard development organizations that are building future requirements
will help to align these technical committees and it will help to ensure
that the safe operation of devices from design to development
Chintu installation and into the updating of software is taken into
consideration thank you thank you very much and thank
you to all of our panelists for your thoughtful presentations this morning we
will now have our 10 minute rounds of questions per each person on the
Commission here mr. Norton I’d like to begin with you
you mentioned disruption of software and how that can affect product and its and
possibly its safety can you talk a little bit more about that and what you
see is the most vulnerable what are the biggest safety weaknesses and
vulnerabilities in your testing well again from the testing side we have
seen situations where an existing safety mechanism to prevent a hazard can be
compromised as a result of either firmware updates to a lesser extent or
software updates that occur when those products are getting those updates this
is challenging for a third-party laboratory to coordinate the software
release from a manufacturer this is generally done first-party it’s done by
manufacturers they do this stuff in-house but we have done some work with
some tech companies where they will coordinate the release of software and
then we’re evaluating the effect of that product in terms of how that software
changes it as examples we’ve seen where you know a garage door opener that has
an obstruction beam which is working properly but when the software update
comes through and it’s caused you interrupt the the update you can still
operate the garage door and for some reason now with the iPhone you can
actually or other devices you can actually cause that door to close even
though there’s something blocking the obstruction beam now in those cases
we’re working with those manufacturers to mitigate that a quick patch and the
software solves the problem and it mitigates the issue but if it had not
been evaluated that might not be in a known hazard and there may be consumers
out there that did a partial update or had some sort of similar issue and
wouldn’t realize that there was something you know in the obstruction
being that caused the garage door to close there’s there’s other examples
like that with other products but I think the main concern is where you have
an existing safety requirement that is somehow compromised by the software
update thank you I think we would have concur with that but
that’s as we talk about this issue our concern is how that technology and and
how the we talked about earlier in the first panel if that is hacked or it’s
disrupted in some way how does that affect the safety of the product I think
here on in pursuant to our Federal Register notice we’re pretty clear on
jurisdictional issues but our ultimate concern is when that happens when there
is a breach of that privacy then how does it affect the safety of the product
and and so I appreciate your comments miss Prince
mr. Huber mentioned you l27 for for can you kind of I’m not familiar with that
standard and either I wrote it down now I can’t speak to that one but we will
report back to that we have some conditional comments we’re going to
provide before the closing of the period so I can give you that some more
information about that particular standard or we can contact our office if
you would like that but I can talk about something that mr. Norton had said about
their remote software now we do have you ELLs 5500 which is a draft standard
right now going through the consensus process and that is looking to address
those concerns on remote software updates and remote fixing and what
happens on those risk like when it’s interrupted and things like that so that
is going through the standards development process okay thank you yes I
think the entire Commission would be interested to hear what you owe to four
seven four four is mr. Freeman you suggested that the safety standards for
IOT be addressed in an international level and that’s not any different than
what we heard this morning and as we chatted between the panel’s we will be
at episo– and we will be participating when in November can you mention any
safety development standards that CPSC should be on that level involved with
should be at the table for that discussion and and perhaps you could
suggest to us what efforts you think the United States should be taking take you
acting chairman in terms of specific standards I mean there is work going on
within the international standards organizations and indeed at an industry
level and I think and that and that operates you know there are many many
facets of that and and there are opportunities that arise therefore for
the governments around the world to take an interest in and and provide an
appropriate level support for those issues one of the bigger questions that
came up in that during the questions session during the last panel was was
the fact that in some ways we’re at the stage of just trying to work out what
the questions are in the first place and and I believe that that is the most
critical focus at the moment to to identify what are the real questions
that they need to be answered and that’s where the work that’s going on within
the OECD and the discussions that take place in it for so and in forums like
that I think make the the important
contributions to the developing thinking on this because as out of those sort of
broader broad levels of thinking that the the solutions to some of the more
micro questions will start to arise thank you very much mr. Hubert you
mentioned this you l27 for four can you are you familiar with that are you can
you elaborate on that a little bit I’m not real familiar with it but it is the
purpose for including the mention of it in in my comments was that there are the
standards do exist and and those that are out there that are applicable and
we’re reading the abstract when this seemed to be about software more
software development then then it’s then its function for instance the idea in
that section of my comments was more around preventive action you take when
you’re designing the product to to design the software effectively I would
agree with and and you also mentioned I think it was you
who mentioned I see written down here now I’m not seeing it yeah
another standard but I do think that raises an important point and to mr.
Freeman to what your point was and I think that’s we can agree here on the
Commission that’s what this hearing is a part of trying to identify what are the
problems and coming up with what because I think what is made very clear by the
first panel but even more so by this panel there are some real benefits to
this technology and the fact that we can we had a recall effectiveness workshop
earlier or late last year and it was one of the points that was was made and
throughout the course of the event was that if we can’t have direct contact
with the consumer that’s we can have far more effective recalls and so that to me
is the good part about all of this we will have access to the consumer and any
updates or problems we can reach them very clearly and and when we need to so
I do think there are some really good things here but the important part for
us is to identify what are the potential hazards and risks and what is looming
out there and thus this today’s hearing but I mister Freeman I think what you
said in terms of we need to identify what the problems are what are the
questions that we need to be answering and where should our concerns lie so I
thank you all very much Commissioner Heather thank you very much madam
chairman and Ms Melara I don’t mean to pick on you but when I
was preparing for the hearing I had I was talking to a friend and my friend’s
nightmare is a toy run amuck the huggy toy becomes the Chokey toy or the toy
oven becomes the toy fire starter and so on and the big fear I think is is hacks
and I said I honestly don’t know of any serious situation involving toys that
are connected toys becoming hazards so can you give us a word of reassurance
that the toy industry in particular because people worry about little kids
that the toy industry’s on top of things sure we there’s probably no other
industry that worries more about little kids than the toy industry when we’ve
looked at this issue you can’t make the huggy toy into a choking toy there’s
gonna be physical limitations to the toy and if the toy has the capability of
choking it’s something that you’re going to assess during the physical analysis
of the toy so when again when we’ve looked at the issues of when a security
or hack run amok could affect toys safety were hard-pressed to find a
situation or identify any situation where you could make a toy do something
that it isn’t actually physically designed to do that’s very different
than the concept of the garage door opener
that’s obstructed and so goes down when it’s not supposed to when we think about
remote operation and toys for example johnny is at Grandma’s house his
connected kin his connected robot is at home it’s really not a fun play
experience for Johnny to activate the toy when he’s not there to play with the
toy and so remote activated toys are I can’t even think of an example in in the
the connected toy space that I work with I think parents and grandparents across
the land will be delighted to hear that mr. Freeman I did want to ask you a
question first of all you mentioned issues relating to updating the law and
liability issues in particular and if you read MS Weintraub’s testimony and
there’s other testimony there is a serious concern about what will happen
to liability laws particularly strict liability laws and is it your sense of a
particular movement with respect to liability are they looking to expand it
make it uniform or to limit it do you see a trend Thank You Commissioner
Wright or the the trend I think is that is that lots of people are thinking
about it and and again in the liability space it’s it’s a it’s a it’s a similar
similar consideration have the rules and principles that have
developed over time remained fit for the technologies that exist today and the
technologies that will exist tomorrow it’s been an interesting journey in the
european space where the strict liability rules have been in place for
some 30 years introduced at the time to deal with new technologies back then and
the most recent review has concluded that there there isn’t an obvious case
that those rules developed back then are not sufficiently flexible to deal with
with new technologies that it’s the questions left open for more
consideration but the liability rules at the time of proof community around the
world remarkably flexible in dealing with changing circumstances so the it’s
one of those areas where I would say that the jury is still out and I did
want to ask you also about the notion of international cooperation because you
said we need to focus on international cooperation and not competition and boy
do I agree with that but let me ask the the sort of tougher question how do you
bring rogue states into international cooperation I mean even in China we have
hacking attacks in Russia Eastern Europe and then lord knows what about places
like North Korea and Iran well how do we how do we ensure that they are brought
into the international community or if not that were protected against their
attacks you know I’m not completely qualified to answer that question I’m
not sure I am either but it’s a nice thing useful question yeah it is
but I think you know the onus is on the the countries in particular that have
markets that depend on the success of this technology to to drive forward in a
cooperative way and emphasized cooperation and I emphasized leadership
and I think if if the the countries that have us a big stake in the development
of good technology take take the lead in in finding solutions then then the hope
has to be that over time the the world will have to have to fall
into the regime that’s created yeah I think what I hear you saying is if
anybody’s interested in cooperating they oughta cooperate and that certainly is a
great goal and the rogue states are maybe a separate issue at this point mr.
Hubert I did want to ask you about your comments with respect to safer products
gov and you pointed out what you consider to be data gaps in the
collecting of information so I’m just going to talk about an issue that I see
every time we add an additional item of information that we request of people
are filing reports of harm we have an abandonment rate and so you ask an
additional question you may lose three percent of the people who otherwise
would have commented that said do you have specific suggestions for how we
might address the data gap and any additional information that we might
seek and user-friendly ways of asking that yeah I guess in in a general way
yes if I’m not I’m not really familiar with with you know how the system with
nice is set up in order to get the emergency room data and well actually
I’m just talking about safer products yeah okay that was what you mentioned
and that’s that’s yeah yeah okay I can see I didn’t mention nice by name but I
mentioned the emergency rooms but okay yeah I understand what you’re saying if there are if there’s a way to ask the
question about what category of product it is if it’s a multiple choice thing
where they could click on one and not make them have to type things do things
to make it easier if it’s not already that way for some of the fields and
things that are filled however you know my point was more of one if whatever way
we can find and certainly be willing to help brainstorm that’s more later on how
we could do it because I think it’s important to those who are who are
working on existing standards to improve them and
helping new ones for this particular area to be able to understand what’s
happening from from with those types of products and if the injuries are being
caused through through them being interconnected or not now please
understand I share your concern and I wish I had a good answer I do think we
need to upgrade and I think there’s a lot of sentiment within the Commission
to upgrade the way we collect information through safer products and
the way we disseminate it so I thank you about that mr. Norton I just wanted to
ask a question I asked previously if you from your perspective looked at the
risks associated with the Internet of Things have we reached a point where we
are at code red code yellow just hard to know and in particular putting on your
cap and de’cine into the future do you have a sense about what the future holds
well I would agree with the comment made earlier about it being more of a code
yellow at this state I think the you know in 2018 it’s expected that the
number of IOT devices surrounding us will actually surpass the number of cell
phones so it gives us a measure I think just visually of you know how many of
these things are creeping into the world around us and I think that as that
number continues to grow then the concerns associated with with
it will grow as well I do also echo the comments that were made in the first
panel that there’s still a lot of fragmentation you know in terms of
wireless standards and most of the utilization at a consumer level is early
adopters techies and people who have special interests or hobbies it’s not
something that I think you see real general consumer adoption but I believe
that that’s coming there are a number of organizations that are trying to find
ways where that fragmentation can be broken down and that everything
communicates with everything and it’s more of a plug-and-play environment and
I think when you see that I think we’ll see more of a J curve rather than a
general creep and I think at that point then you probably would be looking at
more of a a CodeRed type situation though that
allows me to segue to miss prince because one of the things that ul is
extremely experienced in is dealing with the kind of fragmentation that mr.
Norton’s talking about when it comes to consensus standards do you have the
sense of what a proper strategy would be for gathering these new entrants that
are inexperienced or not technically competent but somehow they can make a
connected device do you have any advice for us about how to bring them into the
consensus development stand process that’s a really good question and the
fact that anytime you’re engaging new people and the standards development
process that that gets to be a little bit challenging and if they’re small
companies large companies I know as a chair of our technical panels I look at
balance in a variety of ways including large and small companies so I try to
actively and you–oh tries to actively look at who’s in the marketplace and
reevaluate that it and a continuous basis in the fact that just you know you
had an on connected appliance at one time and it’s connected well your
consensus body might not be made up on the right people now right you might not
have the right players you might need more IOT at the table so you really have
to continue to evaluate that now getting them to the table and we can reach out I
think another strong player in that are the retail space right if they they
recommend and want the safe products on the retail market they’re going to drive
that need of these products meeting a specific safety standard Thank You
Commissioner Robinson thank you and thank you all of panelists and mr.
Friedman thank you for that excellent report from OECD in your contributions
to that miss Millar I just want to make sure that I’m understanding your
testimony because you’re unique in the witnesses we have today and saying that
there that there aren’t any consumer product safety danger for toys in the
world of the Internet of and the other witnesses have raised that
IOT enabled toys have caused safety issues and that they’ve abandoned some
countries and the dangers that are raised by others are the that the f 963
doesn’t address the Internet of Things thing toy becoming hazardous through
malicious or inadvertent security issues it doesn’t protect the IOT aspects of
the toys from from hacking and there’s no requirement for any updates with the
respect to the software not creating new hazards and addressing end of life of an
IOT toy so parents know that the toy is no longer receiving updates but as I
listen to you I think what you’re saying is with respect to all those safety
concerns you think those are those are covered by Coppa so so f 963 doesn’t
need to be changed is that no standing that correctly so the privacy and
security of connected toys is extensively regulated by Coppa right
capo requires reasonable security it requires the type of analysis that we
talked about in this morning’s panel that’s reflected in the NIST
cybersecurity framework and so when we think about what could happen and
Commissioner Adler asked the question earlier when we marry the comprehensive
regulation under Coppa with a comprehensive regulation under F 963 we
see that both paths are protected essentially by law that’s what makes the
toy industry unique is compared to other categories of products right so we in
response to commissioner Adler’s question when we look at what could go
wrong with a connected toy and I think the earlier testimony was really
suggestive of privacy security risks and not physical safety risks that’s what I
thought better but I wanted to ask her a follow-up question to that and I’m
particularly focused on the the Kayla doll that you’re probably familiar with
it was hacked and I think Germany ended up banning the doll so I guess the
question is if there’s a violation of and I assumed that was a violation of
copper some sudden such thing that leads to a privacy concern where Germany
banned the doll could the CPSC recall that doll under your f 963 now so to my
understanding the recall of Kayla was done under German telecommunications law
which has a specific provision on privacy and security the doll was not
recalled elsewhere in the EU because it didn’t violate other requirements it was
purely a security privacy concern that led to that recall I think it’s also
fair to say and I can say this from my personal experience that reports of
privacy and security risks associated with toys are universally investigated
by the Federal Trade Commission and I think if you follow the FTC’s activities
its start with security updates for example one of its updates I think it
was from July was very interesting because it issued an update that
basically said we look at the space we do not always take enforcement action
but we do investigate okay and I think that that should give you some
confidence that like CPSC FTC investigations are non-public they’re
confidential but when we see in a consent agreement issue we know that the
FTC has concluded that there was a privacy violation and when we don’t I
can tell you that they generally look very deeply into those issues and may
and and generally conclude that it’s not supported I don’t think I could be wrong
about this but I don’t think they have the ability to recall a product so it
has do you know if any considerations been given to updating F 963 so that it
incorporates the safety concerns that we have covered by Coppa so that we could
recall it now and I’ll tell you one main reason why is that F 963 requirements
are subject to third-party testing by accredited third-party laboratories
and the CPSC’s accreditation process is obviously quite specific as I think I
mentioned earlier to my personal while knowledge the types of companies that do
penetration testing for toys are not the same third-party testing labs that do
physical safety testing right but that testing is done and they are done by
sophisticated companies that are expert on you know the murkiness of the dark
web and other elements so I think the toy industry would be opposed to
mandates under F 963 that would add new testing obligations that may not be
conducted by the kinds of companies that are best suited to do that type of
testing okay Thank You mr. Huber I just have a quick
question for you I like your idea of the three different categories of products
the safety products the products that could foreseeably cause injury and death
and then other products can you tell me you brought up something about medical
devices but can you give me an example of a product that would be under our
jurisdiction that would be a safety product I was one that comes to mind
immediately would be a smoke detector that’s opera that can be operated
remotely good example of a thing there are other similar types of things smoke
alarms and others mr. Freeman you have said that CPSC should be a leader in in
this area of Internet of Things and I guess I want to know where would you
start in a perfect world especially in this political environment I think I
think you Robin sunnite I think I would go back to the specific pointers I made
in my presentation the the work of the OECD where the CPSC is already active
and in the working group yeah in the working working product safety is is
really an excellent environment where these discussions are actively being
considered and and the open multi-stakeholder discussions with
Enoch for so is another area where I think there the CPS seek and can be part
of some sort of very interesting discussions that take take place in that
environment so on the sort of international level I see those as the
as the key two forums where where these discussions are very active in and and
then from there the other other opportunities are more on a sort of
sector by sector basis and that starts to drill down into the fact there she’s
a big space and the issues that arise in different sectors are very different
from your experience do you think the regulatory bodies with which you’re
familiar have sufficient jurisdiction now I mean I look at our jurisdiction
now and the coders be tough to argue that they’re a manufacturer or importer
or something that falls within our jurisdiction but do you think that
there’s sufficient jurisdiction with the authorities that you’ve dealt with and
where would you start on maybe is that a place to start with the framework of
giving and getting jurisdiction yeah that’s the submission question because
the jurisdiction arises everywhere but in different ways and and the sort of
political and administrative structure is very different country to country
region region to region so I think it’s important to understand these
jurisdictional issues and that they arise there’s not going to be a magic
one that fixes that fix that’ll makes it easy everywhere but once that issue is
is recognized then sort of word back into the mantra of cooperation and there
just has to be joined up thinking both within the different agencies and
departments within the different countries as well as between the
countries themselves thank you for that mr. Norton I have a question for you do
you think that there’s a way through testing by third parties that we could
provide consumers with information about the level of security that a device
offers in terms of being hack proof or whatever some of these horror stories
about hackers getting in we’re pretty terrifying be sure if you look at the
current a proposal for cyber shield it builds an
infrastructure around essentially assessing the vulnerability of a device
giving it a kind of score a bit way similar to the way the Energy Star
system was rolled out by the Department of Energy the the proposed cyber shield
requirements that are out there is ultimately to submit a product have it
evaluated for its vulnerability and then it gets a kind of rating and that rating
could then be visible on the product as some kind of mark so that that’s one
approach that could be explored I have a follow-up question but I’m running out
of time thank you very much commissioner kay Oh yield to Commissioner Robinson if
you want to finish where you were wanted to know with respect to testing IOT
devices by the labs how the labs could to test to a performance standard for
IOT devices given the fact that hackers are so creative so there are a number of
different challenges with that there’s in some cases there is software that is
utilized that goes through hundreds of individual attack hack and disrupt cases
that look at the vulnerability of that software to those conditions that
software has to be updated fairly regularly based on the nuances of new
attacks and new issues that are that are emerging in the marketplace that’s
probably the most common that we’ve seen is that it’s a software essentially
trying we don’t employ hackers to try to break into the devices but we use the
known attack routes to be able to subject them to software attack great
Thank You commissioner absolutely claiming my time miss Prince you
mentioned transient signals and if I have that concept right is it basically
that one Internet connected device might be giving off a signal that could
interfere with another internet connected device yes that is one way
another way is the embedded transient are the embedded radio within a product
its signal disrupt something that’s already inherent in the product itself
so it can be a hazard within itself or it could be an interoperability
transient signal that causes a problem I see so let’s so is it at least
theoretically possible that you could have an Internet connected toy for
instant instance that gives off a signal that inadvertently interferes with an
internet-connected smoke alarm I’m a more standards person that’s a technical
question is it possible in the realm of things I think that’s the challenges of
anything interacted I think we don’t know how it’ll be misused right and I
believe those are avenues that they look at when they look at any interference
any anything like that when they do the risk assessment and so turning to Ms
Millar is that an area that the toy industry has looked at as to whether or
not something that is embedded in an interconnected toy might give off a
signal that could interfere with the functionality of us totally separate
interconnected Internet connected device I don’t think there’s been a robust look
at that for any of the connected product categories frankly except maybe in the
medical device arena because the pacemakers where that as a known risk I
think rather the the way that you look at the security issues is to map the
data so you start with identifying what data is collected and received and how
is it collected and received if you have signed firmware which means you can only
authenticate certain signals from you know from authorized sources then that
sort of transient issue is probably less likely I think you also want to look at
what is the radius of connectivity so a remotely connected device which is much
less likely with toys is maybe much more likely to present that type of a hazard
than I think other connected devices that would not operate remotely but I
think there are also questions of Federal Communications Commission
jurisdiction on the frequency and of course all of those connected
rocks have to be in the US FCC certified to not interfere with other radio
signals so if it turned out that you had an interconnected toy like it’s like a
robot that was in a child’s room and there was also an interconnected or an
Internet connected smoke alarm that had been installed in that child’s room and
there was interference that was blocking the functionality of the smoke alarm
would you view that as being a CPSC issue or a different agencies issue I’m
not sure I think we’d have to examine that it may actually be an FCC issue
okay and is that something that you were willing to take a closer look at sure at
least explore because I think it’s an interesting area that could help
accelerate some of the work that the any interagency group might end up doing
yeah absolutely and by mentioning the FCC by the way maybe they should be
added to to whatever is going on if they’re not already at the table mister
Freeman you wrote the report thank you for that
I wanted to ask you the same question I asked earlier which is did you identify
any gaps from a technical capability standpoint from the CPSC staff when you
went through all that work Thank You commissioner Kay the answer is no the
you know the work it was to create a source net shot of where we are and we
are we are at an early stage in consideration of these issues that the
technology is moving along the discussions all around the world are
yeah I still by and large at the point of asking what are the questions that we
need to be asking and and so certainly my research I didn’t into identify any
particular gaps in that sense anywhere in the world including with the CPSC and
as a follow-up I it had also asked about what type of experience or expertise the
CPSC should bring to any type of working group whether it’s continued work with
the OECD or elsewhere do you have a sense as to what type of technical
capabilities we should be employing well I absolutely think it’s pretty cool to
have as good an understanding as possible about the the technology and I
think having that some deep expertise or sufficiently deep
expertise in the nature of the technologies is critical to good
decision-making about about what is the right response and how to deal with with
issues that arise and the challenge of that of course is we’re in a fast-moving
area and and so that expertise also needs to have the capability to be quite
forward-looking about things because the regular the policy and the regulatory
solutions developed today need to be fit for purpose in the future and frankly
would run the risk of being out of date by the time they’re implemented if there
wasn’t that sufficient level of flexibility so having sufficient
technical expertise to understand those concepts I think is critical to getting
this right great thank you for that mr. Huber and then I guess asked mr. Norton
the same question we heard earlier that it from a security standpoint it seemed
unlikely that some type of sort of best practice or process standard could be
developed because it ends up devolve into a check the box that doesn’t
consider risk and every sound it sounds like what mr. Schwartz were saying is if
you have 10 items on the list they’ll end up getting weighted equally and you
end up wasting time by not focusing on the riskiest ones do you have a sense
both of you as to how viable an effort that would be to at least start by
identifying sort of an input process so if you at least followed the following
processes consumers could be more likely to have confidence that these products
wouldn’t present a safety risk yes I think it would be a worthwhile
undertaking to do that I believe and I think there are ways that it can be done
through assessment of risks and using existing practices that people have used
for other thing other types of products but being able to to quantify that risk
in some way and then that would that would allow you then to determine what
things you’re going to include in a in a standard per se to try to address those
risks good and to see our have the capability to assist in something like
that yeah we can contribute to it anyway yes okay that’s good to know mr. Norton
first I echo a lot of the comments mr. Schwartz the particular concern that one
size doesn’t really seem to fit all and also I think risk-based that makes
perfect sense when you think about a wearable device you know you’re
concerned about that it’s not gonna burn you or cause these types of injuries
consumers also are concerned about that their geolocation isn’t being hacked or
distributed from a privacy and security issue but you know between say
components of a device communicating say your heart rate or how many miles are
walking to the device that’s you know converting that to an app on your phone
maybe the level of security doesn’t need to be as much so I think it depends on
where the vulnerability exists and I do think that when you look at individual
product types you probably need to break it down are we talking component to
component level communication or component to app level and then is it in
some kind of cloud so there’s different levels of security that might want to be
considered as it relates to the nature of the data and the risk that that poses
to the consumer and those different sub categories like component to component
or component to cloud or whatever it might be all right believe that a
framework can be built off of what NIST has already done in terms of identifying
the the basic structures of how these work what’s missing seems to be what do
you do with that framework and and how to tie in the different requirements
with a risk-based approach so that it can be shared I think a lot of companies
especially leading tech companies are doing this internally already what we
don’t see is a lot of publicly available consensus guidance that others can
benefit from interesting good thing to follow up on thank you very much thank
you all very much this concludes our second panel for today’s hearing I want
to thank MS Millar miss Prince mr. Freeman mr. Huber and mr. Norton
thank you all very much for sharing your time and expertise here this morning for
answering the questions of the Commission we are going to now take a
one-hour break for lunch and we will resume in one hour

Add a Comment

Your email address will not be published. Required fields are marked *