U.S. Sens. Steve Daines, Cory Gardner, Mark Warner and Ron Wyden recently introduced the Internet of Things Cybersecurity...
Improvement Act of 2017 to address what they see as glaring security issues associated with IoT devices.
The tech industry "has an insecurity dilemma," pointed out David O'Brien, senior researcher at Berkman Klein Center for Internet & Society at Harvard University. "Lots of devices and software are fundamentally insecure, and we've been unable to keep up with growing threats."
The Mirai botnet -- crafted largely with hacked IoT devices -- and its distributed denial-of-service attacks on Dyn Inc. in Oct. 2016 temporarily disrupted much of the internet. This served as "a big wakeup call that many IoT devices out there were manufactured in a fundamentally insecure way," O'Brien said. "These devices have hardcoded passwords and don't pass muster for even the most basic security requirements."
Basic security is precisely what the IoT Cybersecurity Improvement Act aims to establish. "This bill attempts to set the bar really, really low," O'Brien said. "Most security experts would agree that these requirements are just fundamental good practices."
As growth of internet-connected devices continues to soar, the attack surface is increasing as well. "It introduces all sorts of new points of entry into the system, so that safety issues come up," O'Brien noted. "If a device is compromised in some way and doesn't work as intended, it could cause a safety issue to the operator or the people around whatever the 'thing' is."
"Mirai" is Japanese for "the future," and now that we've had a glimpse of it, it's critical to start dealing with the IoT insecurity issues now to avoid a future full of large-scale botnet attacks.
Minimum IoT cybersecurity requirements for selling to feds
The IoT Cybersecurity Improvement Act applies broadly to "internet-connected devices," with such a device being "a physical object that is capable of connecting to and is in regular connection to the internet," as well as possessing "computer processing capabilities that can collect, send and receive data."
The legislation imposes three minimum requirements for such devices if they are to be sold to federal government.
Phil Nerayvice president of industrial cybersecurity, CyberX
For starters, IoT devices can no longer have default passwords that anyone can simply go search for and find on the internet. This is significant because default passwords played a role in creating the Mirai botnet, noted Phil Neray, vice president of industrial cybersecurity for CyberX, a startup that specializes in protecting industrial IoT.
Second, the bill points to the National Vulnerability Database and specifies that IoT product vendors can no longer sell any products with listed known vulnerabilities to the federal government, unless they obtain a special exception or waiver. "There are well-established procedures for testing software in an embedded IoT device for vulnerabilities and many technologies are available to do it," Neray said.
Known vulnerabilities "can be quite insidious and difficult to stamp out -- even when a patch is available," O'Brien said. "Consumers and companies don't always apply the patch, so it's refreshing to see a bill that tries to get vendors to stop including known vulnerabilities in their code."
Third, the bill requires a mechanism for patching IoT devices, which should work in a manner similar to the way cellphone manufacturers push updates and patches to customers.
If there's any pushback about patching, it will likely be due to rising costs for manufacturers. "The requirement that all devices be patchable implies that manufacturers have an entire system so that their infrastructure is set up to enable patching," O'Brien explained. "And how long do you need to continue to patch the devices? Does it still make sense for a business to sell a device that you may need to continue supporting far into the future?"
Despite these questions, and a few others about what is and isn't secure, overall, the IoT cybersecurity bill's requirements "all make sense and help to establish best practices," Neray said. "It's clear that security researchers and experts were consulted."
This is evident because security researchers engaging in "good faith research" are exempt from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act.
These two acts make for an uncertain environment for conducting independent security research, O'Brien said, adding that "any researchers exploring vulnerabilities in the products of companies need to worry a little bit that perhaps the Department of Justice will look unkindly upon their work, or that a company who views it unfavorably will either sue them to stop their research or prevent them from publishing it. So, a bit of sword and shield going on here."
Why start with these minimum requirements?
Establishing minimum IoT cybersecurity standards for selling to the federal government is a "good starting point, because it'd be much more controversial if it applied to industry selling to consumers," O'Brien said.
Rather than using regulations to force IoT manufacturers to build more security into their devices, the bill uses the federal government's buying power to motivate manufacturers. "In the past, the problem was that manufacturers had no incentive to build more security into their products because consumers were buying them anyway," Neray said. "Manufacturers tend to build devices at the lowest cost possible, which means they don't necessarily devote extra time and resources toward ensuring their devices are secure."
As you might expect, not everyone is overjoyed by feds setting IoT cybersecurity regulations. "Legislation is a blunt instrument when deployed against emerging technology, and it often may end up doing more harm than good," said Amol Kabe, vice president of product management at Netskope Inc., a cloud security company. "The trick for addressing IoT security is to find the right balance between imposing unrealistic expectations on startups that are new to the market and the needs of society in general with regard to security."
Kabe cautioned that determining which technologies will thrive "is a decision best left to the market," but added that legislation that promotes adoption of industry best practices to hold both enterprises and IoT vendors to these standards "will be the least disruptive to organizations."
Who will feel the bill's impact most?
IoT startups and companies new to the world of regulations and compliance may be hit with some significant processes to their technology and their business, said Danielle Jackson, chief information security officer at SecureAuth, which provides adaptive access control technologies. "There may need to be an equal amount of focus on the technology of the product in addition to internal practices that incorporate security and regulatory requirements."
Larger and established IoT companies probably won't feel the impact of the IoT Cybersecurity Improvement Act as much as smaller ones. But startups may be "at an advantage as well if they build and integrate these requirements from the beginning," Jackson added. "I also see a challenge for IoT companies to keep costs down as they bake these requirements in. Are these IoT companies willing to eat the extra costs? Are they giving discounts to the U.S. government and making consumers pay the difference?"
IoT companies that are dependent on or generate a large percentage of revenue from sales to the U.S. government may find themselves making the necessary adjustments to comply. "There may be other drivers, but most are revenue-based. Perhaps some IoT companies will modify products or split product offerings, offering products that meet the U.S. government requirements or regulations, other products would be available to the masses," Jackson said.
Just the start of IoT security regulations
Efforts are already well underway within different parts of the government and the private sector to establish IoT security best practices and requirements, "but it's fair to say we're still in the very early stages," O'Brien said.
Analysts predict that 50 billion devices will be connected within just 10 to 15 years, so "it will affect a profound number of nodes on the network -- far more than now, with primarily just computers connecting to it," he continued. "If this is true, it's absolutely just the beginning and we'll be having this conversation for a quite a long time."
The federal government is one of the largest purchasers of IT, so now that it has established some basic security standards for IoT, "in theory, if you want to sell to the government, you might as well make all of your products -- including those you sell to consumers and enterprises -- adhere to the same standards," O'Brien said. "So, perhaps it will make IoT devices become more secure. But that's the big question here: Will it truly ratchet up the standards for consumers and enterprise?"
Learn why security for IoT begins in the chip
IoT security vs. physical security vs. conventional security
Which vendors are changing the state of IoT security?