FTC Seeks Input on Privacy and Security Implications of the Internet of Things; FTC Project No. P135405; Commission Staff to Conduct Workshop on November 21, 2013 in Washington, DC #00003 

Submission Number:
Steven Kester
Advanced Micro Devices (AMD)
Initiative Name:
FTC Seeks Input on Privacy and Security Implications of the Internet of Things; FTC Project No. P135405; Commission Staff to Conduct Workshop on November 21, 2013 in Washington, DC
May 31, 2013 Ms. Karen Jagielski Bureau of Consumer Protection United States Federal Trade Commission Room H-113 (Annex B) 600 Pennsylvania Avenue N.W. Washington, DC 20580                         Via Email: iot@ftc.gov RE: AMD Comments in Response to FTC Request for Input on the Privacy and Security Implications of the Internet of Things Dear Ms. Jagielski: We are writing to provide comments from Advanced Micro Devices (AMD) in response to the FTC’s request for information in advance of the November 21, 2013 workshop on the privacy and security implications of “The Internet of Things.” We appreciate the opportunity to provide our views on this important topic given its importance to our business and customers and consumers we serve. AMD is a global semiconductor design company that produces graphics cards and microprocessors that power millions of the world's personal computers, tablets, gaming consoles, embedded devices and cloud servers. Headquartered in Sunnyvale, California and founded in 1969, AMD is one of the original Silicon Valley semiconductor companies, and today we employ approximately 10,000 people and maintain engineering and business locations around the world. AMD serves a global customer base, including many of the companies that produce the underlying infrastructure for the Internet and computer networks in general. Enabling “The Internet of Things” - the ability of everyday devices to communicate with each other and with people - is an important aspect of AMD’s technology development and a key growth trend for our industry. As computing and networking technologies continue to expand and enhance the capabilities of a wide range of end-use products, from industrial equipment, to electronic medical equipment, to mobile computers, to other “smart” electronic devices, the interdependence of these networks and the amount of data that is generated also increases, which raises important questions about privacy and security. We believe the FTC is right to inquire about the potential security and privacy issues that may arise as a result of the increase of networked devices, and we are also pleased to report on some of the steps that AMD and others in the technology industry are taking to address such issues. Further, because security and privacy threats are ever- evolving with changes in technologies, there is a need to continue to expand IT security horizons through well-funded and coordinated research efforts. AMD is engaged in a number of collaborative research efforts with other companies to address “grand challenges” in IT security, as well as evolving threats and vulnerabilities. AMD is a founding member of the Cyber Security Research Alliance (CSRA), for example, which also includes Lockheed Martin, Honeywell, Intel, and RSA, and is dedicated to IT security research with academia and government partners. CSRA recently organized a workshop with the National Institute for Standards and Technology (NIST) to identify research projects to protect Cyber-Physical Systems, which are generally embedded and networked systems use in everything from industrial control and critical infrastructure solutions like the power grid, to medical and in-vehicle systems. More information is available here: http://www.nist.gov/itl/csd/cyberphysical-systems-2013-workshop.cfm. AMD is also a founding member of the U.S. Semiconductor Research Corporation’s (SRC) recently formed “Product Security” work group, which is exploring options for addressing both policy and technology issues related to cyber security. This organization recently organized a workshop with the National Science Foundation and the Computing Community Consortium (CCC), aimed at exploring opportunities for research in the semiconductor design assurance/security domain. More information is available here: http://www.cra.org/ccc/SA-TS-Workshop.php. We would welcome the opportunity to share more information about these and other efforts we are engaged in to help address short-, medium-, and long-term IT security threats and vulnerabilities. Below are our responses to some of the specific questions posed by the FTC. Q: What types of companies make up the smart ecosystem? R: A wide array of industries and companies make up the smart ecosystem, from the fundamental computing and networking technologies provided by semiconductor companies and other electronic component suppliers, to computer and networking system-level technology suppliers, data center operators and data network and telecommunications infrastructure providers, and a rapidly expanding number of industries and technologies that integrate “smart” technologies into their products and services. These industries include transportation, medicine, communications, financial services, entertainment, industrial operations, utilities, information technology, and many others. Q: What are the current and future uses of smart technology/How can consumers benefit from the technology? R: Examples of current smart technology deployments include “smart meters” in the electric utility industry that allow utilities and their customers to track and manage electricity consumption, networked medical devices that allow medical professionals to capture and manage data to assist with diagnosis and treatment, and real-time data collection on data center traffic and deployment of efficiency management measures, among many others. Future uses of smart technologies may include “smart cars” and traffic management systems that improve safety and greatly reduce the potential for driver error, real-time search capabilities to accurately and rapidly identify and locate criminals, and affordable personalized medical prevention measures and treatments that provide “anytime” access to diagnosis and treatment options that are optimized to an individual’s specific medical history, genetic make-up, and overall needs. These uses and others can deliver significant benefits to consumers by providing on-demand access to a wide array of services and information, enabling new applications and uses of data that can improve efficiency and save time, resources, and money. Q: What are the unique privacy and security concerns associated with smart technology and its data? For example, how can companies implement security patching for smart devices? What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware? R: As data collection increases from the proliferation of smart devices, so will the ability to exploit the data, or networked systems, for illegal purposes. For example, data obtained from an individual’s banking activities could be criminally exploited, or a real-time online health monitoring system could be compromised and create a threat to that individual’s privacy, health and safety. A number of steps are currently being taken to provide security for IT networks and systems that support smart devices and technologies, and as smart technologies continue to proliferate additional steps can be taken to improve security and protect sensitive data. For example, AMD’s current processor technologies utilize several features that address potential security threats and help protect sensitive data, from our on-chip Enhanced Virus Protection (EVP) technology that prevents certain types of malware from executing harmful code, to our secure boot/secure kernel initialization that provides a base layer of trust and control for computer systems. Our I/O virtualization technology is another security feature we incorporate into our products that allows computers to access peripheral devices securely, as well as recognize devices that are not secure. AMD also integrates technology into our products that enhances the performance of other IT security applications, such as encryption technologies that are among the most widely used and most secure means of protecting sensitive data and networks. In addition, AMD recently collaborated with ARM, the largest technology processing technology for the global mobile device markets, to integrate the ARM® TrustZone® technology into AMD’s Accelerated Processing Units (APUs) via a system-on-a-chip (SoC) design methodology. This technology resulting from this collaboration will allow consumers and businesses to secure their data and perform secure transactions, such as banking transactions, with a much greater level of trust and protection than current technologies. This industry-first collaboration will help accelerate broader ecosystem support by aligning x86 hardware – the current computing industry standards - with the world’s most broadly-adopted mobile security ecosystem – ARM-based technologies. The security-focused collaboration between AMD and ARM is the basis for on-chip, protected, and dedicated security functionality that serves as a foundation and enabler for authentication, data protection, and privacy related solutions that matter most to consumers and businesses, with a level of hardware-based security assurance not previously available in commodity commercial products. Q: How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decision-making or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances? R: In many cases, the potential benefits of smart technologies are likely to far outweigh the calculated risks of exploitation in a wide range of areas, from improving people’s health and longevity, to identifying and addressing the effects of climate change, to creating new economic drivers and efficiencies, to advancing scientific knowledge and capabilities. Security and privacy concerns, of course, must be addressed to protect individual liberties and prevent potentially harmful security breaches. Employing risk management frameworks that can help identify and prioritize threats and vulnerabilities for critical data and systems is one important means to determine how to categorize different types of data and systems and address the potential threats and vulnerabilities they face. Further, data might be de-identified or encrypted, to allow for secure use and sharing across networks. Higher-level policies, such as Opt-in vs. Opt-out, will be decided by societal norms, business requirements, and government regulation. From a technology perspective, the balance between privacy and societal benefits is typically manifested in the ability to realize and manage machine-readable policy, and ultimately to control – enable and disable – specific security and privacy related technologies, mechanisms, protocols, etc. Wherever possible, it is imperative that technology not dictate policy. Instead, technology must be flexible enough to support and enforce a range of potential policies, and that range must include privacy, confidentiality, integrity, interoperability, and availability, while preserving capabilities. Again, thank you for the opportunity to share our perspective on some of the security-related questions posed by the FTC. We hope you find this information useful and we welcome additional questions you may have, as well as the opportunity to participate in the FTC’s November workshop. Best regards, Steven Kester Director, U.S. Government Affairs Advanced Micro Devices (AMD)