English 
Français
Deutsch
Español
Italiano
Português
日本語
한국어
Русский
White House Cybersecurity Plan Misses the Boat on AI and IoT
The Biden administration's long-delayed National Cybersecurity Strategy Implementation Plan is here, and it's shockingly inadequate. Artificial intelligence (AI) doesn't appear once in the 57-page document. And AI's vehicle for global expansion, the Internet of Things (IoT), is given cursory treatment. The 65-point plan has many smart ideas, but it seems stuck in time, as if it was written when Biden was elected and left to collect dust as tech evolves rapidly.
There's no blue vs. red issue here. Just red tape. Nearly every government plan is outdated by the time the ink dries, so maybe it's for the best. Industry self-regulation is going to be the biggest driver of meaningful change, but government meddling is inevitable, so it's best to look to Congress on the matter.
Representative Suzan DelBene (D-Wash.) has already started, with the introduction of the IoT Readiness Act, which could be the most important tech bill in years with the right adjustments—a true bipartisan slam dunk. Both sides will rush to be stronger than the other in distancing U.S. business from China and protecting children from tech overreach.
But why focus on IoT when AI is the big issue? AI is well recognized as the biggest commercial and societal gamechanger since the internet, and perhaps the biggest threat to humanity. But the speed of AI's takeover, for better or worse, is limited by one factor: its integration into the billions of connected devices that are invading every inch of space on Earth. McKinsey & Company projected this niche of tech, IoT, to reach $5.5 trillion to $12.6 trillion annually by 2030—significantly more than the trendier fintech industry, estimated to reach only $1.5 trillion.
IoT is really just an extension of traditional internet access, which is accepted as a public utility. Allowing AI into IoT requires the same level of federal and state scrutiny as for electricity or water. AI is an incredibly serious national security risk for consumers, enterprises, and state-owned infrastructure alike. And AI-enabled IoT—well, that's a treasure trove to be exploited by bad actors and foreign states.
Hackers harvest sensitive data from connected devices like stealing candy from babies. According to Microsoft's Digital Defense Report 2022, there were more than 100 million attacks on IoT devices in only the four weeks of May 2022—a five-fold increase year-over-year. And the pandemic-forced shift to remote technologies drove a 700 percent increase in IoT-specific malware. That's bad news for the average American home, which already has 22 connected devices—including smartphones, computers, refrigerators, thermostats, home security cameras, and more.
DelBene's initial bill only enables the government to see the future of IoT, not address the negative consequences of AI's inevitable introduction. Here are a few changes to the bill to beef up AI/IoT security and overcome the shortcomings of the White House plan:
—Coordinate the bill with Senator Gary Peters' (D-Mich.) three AI bills in the Senate. The link between AI and IoT is very real but very poorly understood in Washington, DC. If security risks of AI and IoT aren't properly evaluated together, and AI bills keep piling up, loopholes will be inevitable.
—Security must be a day one design feature for every connected device in America. Every single connected device that could feed into AI must include encrypted data transmission and storage, data minimization (only collecting data that's required for product functionality), and data anonymization.
—Mandate security standards. The White House's U.S. Cyber Trust Mark for labeling devices is useless because it's optional. There's broad industry consensus on security standards, but manufacturers often ignore best practices. A sticker on a box is like "organic" labels at the grocery store—a symbol of meeting the mere barebones standards. Effective standards must be mandatory.
—Increase civilian and academic oversight. This ensures transparency, but also reduces tension over potential political influence at the Federal Communications Commission (FCC) and other agencies.
—Tough enforcement with painful penalties for failures. World leaders missed the boat with the threats from social media, but Europe has been out front the last few years on tech regulation. The General Data Protection Regulation (GDPR) passed in 2016 and has been a gamechanger for personal data privacy, while its Digital Services Act is giving Amazon and TikTok fits in 2023. If there's something to unite both sides of the aisle, it's holding Big Tech accountable. Now Europe is rushing to pass a robust AI Act.
The White House plan has bombed. The best hope for avoiding another replay of disruptive tech growing out-of-control lays with AI and IoT companies developing their own industry compact, with firm, actionable rules to self-govern. But government will play some part and it's more important than ever that Congress steps in ASAP and puts some real limits on Silicon Valley's AI and IoT ambitions.
Fabian Kochem is head of global product strategy at 1NCE.
The views expressed in this article are the writer's own.