Most of you have heard of the internet of things, the catchall phrase for common devices, such as routers, cameras, printers, refrigerators, door locks and so on, that have been enabled by their manufacturers to be controlled or to communicate over the internet.
Most of you have also probably heard that the security of most of these devices is compromised, resulting in spectacular attacks from bad actors, such as the Mirai malware that hit the Dyn DNS service provider and subsequently affected service to the Krebs on Security website in September 2016. Use of connected devices is expected to grow exponentially — and so will the security problem.
Now, the U.S. Senate also recognizes the problem and is trying to do something about it. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 is a bill before the U.S. Senate that seeks to improve the security of internet-connected devices.
What is this proposed bill, what does it do, how does it affect me, will it work and should I support it? We hope to shed light on these questions here.
The IoT Cybersecurity Improvement Act of 2017 is a bill before the U.S. Senate that seeks to improve the security of internet-connected devices. It was introduced by Senators Cory Gardner (R-Colo.) and Mark R. Warner (D-Va.), co-chairs of the Senate Cybersecurity Caucus, and Senators Ron Wyden (D-Wash.) and Steve Daines (R-Mont.). According to one article, drafters of the bill worked together with the Atlantic Council and the Berklett Cybersecurity project of the Berkman Klein Center for Internet & Society at Harvard University.
The bill defines IoT devices broadly; basically, any device that is connected to and uses the internet is an IoT device. You may be thinking that the bill would put requirements on manufacturers of such devices, but it does not; it takes a different tact. In short, the bill directs government agencies to include certain clauses in their contracts that demand security features for any internet-connected devices that will be acquired by the U.S. government. The bill outlines what these clauses are and how a waiver to these requirements can be had.
The bill further goes on to amend the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) to exempt researchers “acting in good faith” and “acting in compliance with the guidelines.” The bill tasks the Office of Management and Budget (OMB) to work with other agencies, such as the National Institute of Standards and Technology (NIST), in setting such guidelines, as well as guidelines to be followed in the clauses added to government contracts as stated above.
The sponsors of the bill should be applauded for trying to tackle the security problems that the internet faces due to many of our internet-connected devices. They recognize that a problem exists and seek to rectify the problem with laws that address this situation.
There are obvious limitations and exceptions, but no other legislation comes close to trying to increase the security posture of such devices that we are aware of.
You can read the bill itself; it is probably no more than a half-hour read and is understandable. But you should look up what is meant by “executive agency” and the CFAA and DMCA. Below is a summary and paraphrasing of some of the details of this bill.
The bill mandates that government agencies buying such products include in their procurement contracts clauses that specify:
- The contractor (the entity selling the IoT device) provide written certification that:
- The device does not contain any known security vulnerabilities or defects that are listed in the NIST database of vulnerabilities or other such national database;
- All components are capable of being updated securely from the vendor;
- It uses only industry standard protocols and technologies; and
- It does not include any fixed or hardcoded credentials used for remote administration, delivery of updates or communication.
- That the contractor will notify the purchasing agency of any known security vulnerabilities or defects subsequently disclosed to the vendor by a security researcher or of which the vendor otherwise becomes aware for the duration of the contract.
- Software or firmware components can be updated or replaced, consistent with other provisions of the contract, in order to fix or remove a vulnerability or defect in the component in a properly authenticated and secure manner.
- A contractor requirement to provide repair or replacement in a timely manner in respect to any new security vulnerability discovered through any of the “national databases,” or from the coordinated disclosure program.
- A contractor requirement to provide the purchasing agency with information on the ability of the device to be updated, such as:
- The manner in which the device receives security updates.
- The anticipated timeline for ending security support.
- The formal notification when security support has ceased.
- Any additional information recommended by the National Telecommunications and Information Administration.
Exceptions may be granted if the executive agency reasonably believes that the device has “severely limited functionality” as defined. Within 180 days after enactment, NIST shall define what this means.
Exceptions also exist for existing third-party security standards for devices that provide an equivalent or greater level of security than that described above. These must be NIST accredited.
The same exceptions are available where agency security evaluations standards already exist.
The bill requires that not more than 180 days after enactment, the head of each executive agency establish and maintain an inventory of IoT devices used. OMB is instructed to issue guidelines for the agencies for this inventory no later than 30 days after enactment and to work with the secretary of Homeland Security to do this.
The last paragraph mentions that the director of NIST ensure that NIST establishes, maintains and uses best practices in the identification and tracking of vulnerabilities for purposes of the National Vulnerability Database of NIST.
Areas where the bill misses
What follows is the opinion of ISE and is based on certain assumptions:
- The bill only applies to vendors that sell to the U.S. government. The hope is that by using the purchasing power of the federal government there will be spin-off from the manufacturers to provide the same level of security to consumer-grade products. However, one has to ask: Are the IoT devices that the government uses the same devices that are sold to consumers? This is likely the largest area where the bill falls short. Many of the largest cyberattacks on the internet have leveraged vulnerabilities from internet-connected consumer devices. Without fixing these types of consumer devices, large attacks on and from the internet will persist.
- NIST and other government agencies will be responsible for tracking in a database vulnerabilities that pertain to internet-connected devices. Nothing is said about funding such an effort. These databases should be publicly searchable; however, if search is not robust enough and easy enough for vendors and also consumers to use, it is possible that vulnerabilities will be missed. We are not saying that this is likely, but the possibility is there. In general, we feel this requirement is a good move, but the details need to be worked out. Note that databases of vulnerabilities do exist, but the type of database considered here deals specifically with internet-connected device deficiencies, and not such general things as cross-site scripting vulnerabilities which can be found on many webpages, for example.
- Exceptions and waivers are allowed. Each executive agency has sole discretion on whether to allow such, compliant with the wording of the bill. However, the bill defers mostly to the executive agencies. There is the possibility that convenience could take a back seat to security under this clause of the bill. Perhaps more verbiage and standards in this part of the bill could take away some of this discretion.
- There are no liability or criminal penalties associated with this bill. The incentive is dollars from the government. While this is a huge incentive, not all internet-connected devices are suitable for government use. What incentives are there for a vendor that supplies an insecure device used by the hundreds of thousands that is leveraged in an internet attack on say, a bank?
- It does not address cooperation with other countries in keeping the internet safe from insecure internet-facing devices. Stipulation of such types of requirements for treaties with other nations going forward could go a long way in helping to stop the worldwide problem of insecure devices. Let us be very clear about this: The problem of insecure internet-connected devices is not a national problem, it is a global problem.
- There are no certifications or due-process requirements on manufacturers when developing their resources. We feel that the bill should further include provision for at least (this list is not exhaustive):
- A security model (stated threats and assets being protected)
- Risk analysis
- Design methodology
But then, this bill concerns contractors more than manufacturers — another failing of the bill. By targeting manufacturers, rather than just the vendors that sell to the U.S. government, a stronger possibility exists that manufacturers will build in security, not just for devices sold to the U.S. government, but also devices sold to average consumers. See the section below on “manufacturer’s impact.”
Security research impact
ISE puts a strong emphasis on research and we are pleased to see that the bill has tried to ease some of the verbiage from older statutes that affect the private industry in this regard.
The bill directs the National Protection and Programs Directorate in “consultation with cybersecurity researchers and private-sector industry experts” to issue guidelines for each agency for internet-connected devices in use by the U.S. government regarding “cybersecurity coordinated disclosure requirements that shall be required of contractors providing such devices.” This will include policies and procedures for conducting research. This is mandated to be based, in part, on ISO 29147 (or any successor standard), which concerns vulnerability disclosure. It also requires that the research be done on a device of the same class, model or type of device that will be or is used by the government and not on the actual device that is in use (so, no attacking the White House’s router, for example, in the interest of research).
The bill amends the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, by adding a new subsection that says this section does not apply to persons who, in good faith, research the cybersecurity of an internet-connected device of the class, model or type provided by a contractor to a department or agency of the U.S. and acted in compliance with guidelines to be issued.
The bill further amends the Digital Millennium Copyright Act, 17 U.S.C. Ch. 12 sections 1203 and 1204, to say pretty much the same thing as for the CFAA above. The two sections mentioned deal with civil liabilities and criminal penalties, respectively.
We see some problems with the wording. For example, say an internet-connected door lock commonly used in households is being tested for vulnerabilities. It is not clear that such research is protected if the same type of door lock is not used by the U.S. government. The federal government tends to use much more secure and expensive door locks than are commonly found in private homes; yet is not the security of home locks important too?
Barring exceptions and waivers, this bill mandates that security be built into contracts for buying internet-facing devices. In effect, this bill should provide overall widespread government adoption.
Unfortunately, we do not see this likely to spread to the private industry — at least where the device inventories do not intersect. While we could be wrong, we expect the set arising from this intersection to be small.
Manufacturers are only indirectly impacted by this bill. The bill is primarily directed at contractors that sell to the U.S. government rather than the makers of the devices. The hope is that dollars will influence behavior of these manufacturers. Those that take security seriously will be rewarded by being able to sell to the U.S. government.
It is great to see that the contractual requirements address not just products themselves, but the whole lifetime that devices are being used from procurement through retirement. Security is not a “one-time effort and it’s secure” sort of thing — it requires continuous test and change; it is an ongoing process.
If there is one area lacking in this part of the bill, it is the lack of requirements during product development, as was mentioned above. Threat modeling, enumerating trust assumptions and exploring custom attack vectors will force developers of internet-connected devices into taking an adversarial view. This perspective should be taken during the lifetime of the product.
Adopting the adversarial view results in engaging third-party security experts in evaluating security on a frequent, periodic basis, say every six months at a minimum, and before updates to the device are rolled out.
If manufacturers are forced to provide for the security of devices they sell to the government, then it is possible this culture will affect their consumer-grade devices. This is a best case scenario, however.
We also recognize that a balance is needed between legislation and manufacturer innovation. Mandating security directly of the manufacturers is more heavy-handed than the approach currently taken in the bill.
The last thing that should be mentioned about manufacturers: While the security posture of many IoT devices that we have tested is poor, ISE has found that a few vendors do take security seriously. We are hopeful that this bill will result in rewarding those particular manufacturers while weeding out those for whom security is an afterthought, or for those who just pay lip service to the idea with misleading jargon such as “military-grade encryption” or “bank-vault security,” as if security were a one-shot deal.
Connected end-user impact
Our prediction is that this bill will not impact the average consumer much, if at all. Unless the types and models of devices that the government uses are the same as consumer devices, we do not see manufacturers paying attention to security of a very large portion of the market: the consumer market.
We see U.S. government agencies buying devices such as large internet routers and telecommunications equipment, for example, and not an internet-connected toaster. However, a league of internet-connected toasters can still be leveraged to DDoS an internet provider.
ISE is working together with principles of other commercial interests, such as the entertainment and hospitality industries, in setting standards for security. As with consumer devices, we feel this bill will only affect such industries indirectly, as only those devices that are sold to the U.S. government are covered.
However, the guidelines that the bill mandates that NIST and other government agencies develop could be an exemplar for standards of other groups. It will be interesting to see how much of this legislation spills over into other commercial standards.
As far as implications abroad, it is hard to say. In many cases of technology, the world follows the United States. This may come in two areas:
- Similar legislation may be prompted by this bill in other countries; and
- The same devices that the U.S. government buys will be bought in other countries.
The extent to which this will happen is unknown.
While there are shortcomings to the bill, we feel that it is a step in the right direction. It is the first bill that we know of to address internet-facing devices specifically. It also addresses some shortcomings of the CFAA and DMCA in terms of bona fide research.
Bear in mind that things may change before the bill is voted on. It should be interesting to follow this bill as it makes its way through the United States Congress, and possibly signage into law by the president.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.