The so-called “internet of things” (IoT) is having a positive, transformative effect on industries from agriculture to health care and transportation. But it also brings new security risks. In a new policy study co-published by the Georgia Institute of Technology’s Internet Governance Project and the R Street Institute, Georgia Tech’s Farzaneh Badiei and R Street’s Ian Adams and Joe Kane examine different approaches to IoT security, concluding that market-oriented solutions and incentives, rather than ex-ante regulations and onerous liability rules, are best suited to foster both security and innovation.

“In order to maximize the benefits of the IoT, we must develop a policy framework that is able to keep up with these evolving and expanding threats and that can address the damage caused when security measures fail,” Adams said. “But before any government intervention is undertaken, we should allow security standards to develop spontaneously rather than imposing prescriptive regulation.”

The authors note IoT governance is gradually taking shape through individual actions and the interaction of networks, governments and markets. Currently, it is not clear how the landscape will evolve or which actors will gain prominence in the governance of IoT security, though there are significant reasons to be skeptical of efforts to impose a restrictive regulatory regime on the rapidly-evolving IoT ecosystem.

In fact, the IoT security landscape already includes many market mechanisms that can succeed where government action, with its structural limitations, would not. Recognizing that it would be ill-advised to impose a one-size-fits-all regulatory regime, the authors argue that policymakers should encourage these mechanisms, while simultaneously allowing private and multistakeholder standards to develop.

“This is not to say that government cannot take any productive actions in the near term that affect the broader landscape,” Kane said. “For instance, it would be entirely appropriate to clarify existing rules to remove barriers to vulnerability research. But let’s allow the market some time to calibrate to the new terrain. Doing so will maximize innovative use cases for IoT technology, while allowing security practices to be flexible and responsive. While this approach may mean tolerating some near-term failures, in the long run, it is the most likely to maximize the scope of the technology’s benefits.”