US Congress’ proposed IoT security requirements: A balancing act
The Internet of Things poses a hydra-headed security threat. On the one hand, there’s a plethora of applications, devices, communication protocols, software and hardware. And on the other, there’s the variability in security practices across IoT vendors, some of which don’t require end users to follow basic security measures.
Recent legislation proposed by Senators Mark Warner (R-Va.) and Cory Gardner (D-Colo.), known as the Internet of Things Cybersecurity Improvement Act of 2017, aims to address these challenges by establishing baseline IoT security requirements for IoT technology sold to the federal government. The proposal mandates that IoT vendors serving the government offer products that are patchable and use standard protocols while stipulating that they don’t use hardcoded passwords or ship with known security vulnerabilities. Furthermore, it asks vendors to offer long-term patching and security support for the devices. Finally, the legislation would force government agencies to keep an inventory of IoT devices.
Not prescriptive enough, too rigid or just right?
While the proposed law has faced a mixed reaction in the security community, most experts view the legislation as a step in the right direction. For instance, Bruce Schneier, fellow at Harvard Kennedy School of Government, explained in a statement that he applauds “Senator Warner and his co-sponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government.” Similarly, Bob Noel, director of marketing and strategic partnerships at Plixer International, said: “I think there are some fundamental elements of this legislation that are fantastic. It is raising awareness, and it is creating some degree of standards for vendors who today aren’t accountable even for basic security missteps.”
Other experts praised the intent of the proposed IoT security requirements while noting that the problem of IoT security will require careful planning to address. “Something will have to be done about this pending [IoT] security crisis,” said Kenneth Geers, Ph.D., a senior research scientist at Comodo Group and a NATO Cyber Centre ambassador, acknowledging that regulation is an important part of the IoT security puzzle. In the end, though, regulation may only be part of the solution, he said. “The government must try a variety of measures, including regulation, business incentives, fines and more money for education.”
[IoT Security Summit, co-located with Blockchain360 and Cloud Security Summit, explores how industry-wide security, privacy and trust can be established to unlock the full potential of IoT. Get your ticket now.]
While praising the intent behind the proposal, Craig Spiezle, chairman emeritus and founder of the Online Trust Alliance (OTA), wishes the legislation had a broader vision and clearer requirements. “Good legislation could apply not just to the federal government, but to state and local levels of government as well, and that would hopefully raise the bar for everyone,” explained Spiezle, who is also a strategic board adviser to the Internet Society. The proposed IoT security requirements are lightweight, Spiezle said. “If I had the pen, I would have more requirements on, for instance, how the devices collect data.” Spiezle would also like to see a mandate for responsible vulnerability disclosures that guides how end users and third parties report IoT security problems. The proposal also should have a more prescriptive approach to encouraging good password hygiene, he said. While the legislation correctly points out the risk of hard-coded passwords, it would be better if it forced users to create a unique password on the first use, he said. In addition, multifactor authentication and algorithms to detect abnormal sign-ins could also be helpful security strategies for some IoT devices.
A broad framework for confronting vulnerabilities
The Internet of Things Cybersecurity Improvement Act of 2017 broadly focuses on “federal procurement of connected devices,” demanding a certain amount of interpretation from legal and security experts. Given the impossibility of creating an absolutely secure IoT device, the guidance that connected devices not contain “known vulnerabilities” would leave room for interpretation. “I think they meant ‘no known critical vulnerability,’” Spiezle said. “When automobile companies ship a car with a known safety defect, they are held accountable.” The same principle should apply to IoT devices, he reasoned. “Every software product is going to ship with some kind of a bug,” he acknowledged. “But once you identify and classify that bug, it becomes a vulnerability that a manufacturer can address. What this law is trying to do is to stop companies from rushing IoT products to the market without fully testing them.”
Noel agreed that the broad-based policy against security vulnerabilities is better than a narrow one, in that it would encourage the industry to come to a consensus and make improvements over time. “I don’t think tightening up the language is the right way to go,” Noel said. “Technology moves faster than regulation, so it is difficult to be precise here.”
The thorny subject of IoT security economics
The selling point of IoT for government and enterprise has been its potential to drive efficiency and performance of a selected application. Increased regulation could chip away at these benefits unless it considers the intricacies of how IoT influences the economy, said Peter Tran, RSA’s Advanced Cyber Defense general manager and senior director. “In broad strokes, the proposed legislation is a step in the right direction, but it could stand to be a heavy counterweight to IoT’s core promise of driving quality of living and economic engagement.”
In any event, it is challenging for a bill written at this stage of the IoT adoption cycle to provide a fundamental improvement in IoT security at large. Legislation needs to be flexible to accommodate the growth trajectory of the technology while also acknowledging the numerous devices already in use, Tran said. “We are not talking about a bunch of novelty toys that need to be reined in for safety reasons,” he explained. “There are already billions of IoT devices that don’t have a foundational security standard. Forcing a ‘clean bill of IoT security’ could force IoT into a tailspin. You do want to drive safety and security but, at the same time, continue to cultivate the innovation, diversity and growth to the market that can have high degrees of interdependencies across a multitude of cross-functional industries.”
Nitin Kumar, senior managing director at FTI Consulting, agrees that legislation like this could lead to added costs for IoT technology, but noted that he doesn’t think it would slow adoption. “Fundamentally, IoT business models are based on the assumption that hardware is commoditized,” he said. The selling point for IoT hardware is often that it will be “be subsidized or funded by software, services, analytics, advertising and so forth,” he reasoned.
While it is possible that the legislation’s focus on government procurement of IoT devices could lead some vendors to create separate products for government and non-government buyers, most vendors serving both will likely improve the security of their entire product line.
“Yes, some vendors will establish separate product lines and divisions for governments. This happens today in many companies,” Kumar says. “People working in those divisions need to adhere to a different standard of physical and digital security.”
Noel is more optimistic that the legislation will improve security across the IoT landscape. “I don’t think it would make sense for a manufacturer of an IoT device to bifurcate their product unless it dramatically changes their cost model,” Noel said. “In most cases, I see this as forcing pretty much everybody to up their game.” The one possible exception is that vendors that sell to the enterprise but not the government could try to compete against vendors that cater to both groups. Such vendors could hypothetically prioritize time to market and the price point of their products over security.
But deprioritizing security could be a losing strategy in the long run, as it could invite attacks that do unprecedented damage, which might ultimately stall IoT adoption. “We are not just talking about normal internet security here,” Spiezle said. “IoT devices can pose physical security risks.”