Earlier this week senators Mark Warner, Cory Gardner, Ron Wyden, and Steve Daines introduced a bill aimed at improving Internet of Things (IoT) device security. Long considered a problem amongst security practitioners, the cybersecurity of unmanaged internet-connected devices has risen to a level of public interest. As such, a bipartisan set of senators, with a little help from advocacy groups in the private sector, has put forth legislation that would establish guidelines for federal agency procurement of anything IoT, be it “smart” lighting, HVAC, physical security equipment, or myriad other internet-connected device types.
In a succinct one-page summary, Senator Warner highlighted that, “This legislation is aimed at addressing the market failure by establishing minimum security requirements for federal procurements of connected devices.” IoW (In other words), IoT has been allowed to proliferate without significant attention paid at the design and manufacturing levels to cybersecurity consequences, yet any internet-connected device poses a risk to its users. This is not new news to the security community, and in fact, long before “IoT” was a buzzword, security professionals were touting the dangers of unmanaged technology to the masses. But back in 2013, when this segment featuring David Kennedy on the Katie Couric Show aired, security teams had some modicum of say in the technology used by the corporations that employed them. With IoT, and every product on the planet being built with internet-connected capabilities (I, personally, was just gifted a pet cam that not only allows me to watch my pet at home while I am in the office or traveling, but also allows me to record video if he does anything cute, talk to my pet, and dispense treats on demand), security is rarely involved in R&D conversations. Almost without exception, decisions around new product development happen in very different areas of the company. Just because products are now being developed with internet connectivity, business processes haven’t changed, leaving security (once again) as an afterthought. What this means is that devices are shipped to consumers with little to no security integrated, and consumers are left woefully unaware or unprepared.
It's our time to make a move
What is so positive about this proposed legislation, titled “Internet of Things Cybersecurity Improvement Act of 2017,” is focus on secure development of the devices. In the past, the idea has always been “get it out to market, fast!” Security is always the group warning everyone to slow down, but with this bill, Congress is proposing a slowdown in the interest of public safety.
First and foremost, the legislation requires (what should be considered basic) security standards for all IoT purchased by the government: devices must be patchable, must not contain any known vulnerabilities as recorded by NIST, must conform to non-deprecated industry-standard protocols (including the use of encryption), and may not include any hard-coded credentials used for remote administration.
It’s our time to make amends
If and when these requirements cannot be met by the vendor, purchasers may request exceptions through the Office of Management and Budget (OMB), but only if the purchasing entity can prove it has implemented equal or better compensating security controls. Further, the legislation would form a partnership between the DHS National Protection and Programs Directorate (NPPD) and industry “to develop coordinated disclosure guidelines for vendors selling IoT to the U.S. government,” in an effort to help researchers uncover and responsibly disclose vulnerabilities to vendors and users so that reasonable mitigation can occur.
Additional details are included in the full document.
It’s our time to break the rules
Sad as it may seem to the security community, the almighty dollar reigns supreme, and over the years security has frequently lost out in favor of ease of use, time to market, or enhanced user features. Should this bill pass, the dollar is finally going to dictate security. Will immediate effects be felt in consumer markets? No, definitely not. That said, the government has a tremendous amount of purchasing power and the trickle down effect is soon to follow a money trail (or the potential thereof).