Good news: The U.S. House of Representatives just passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2019.
Good because if any ubiquitous element of modern life needs improvement, it’s the security of the IoT, which is rapidly becoming the Internet of Everything and which is notoriously insecure. Blogger, activist, and author Cory Doctorow famously called it the “Internet of Sh — .”
The vast and endlessly growing IoT is the biggest attack surface in the world. And when hackers can compromise some of those devices there can be physical consequences — a “smart” home security system disabled, utility services interrupted, a vehicle or a connected medical device under the control of an attacker. Those are just a few of the demonstrable risks.
So anything that improved IoT security, even incrementally, would be a good thing.
Of course, when it comes to legislation, the devil is always in the details. But at least some of those details are getting good to mixed reviews.
- It has bipartisan support — almost unheard of in today’s toxic political environment. In the House, co-sponsors are Reps. Will Hurd, R-Texas, and Robin Kelly, D-Ill. On the Senate side, it’s Mark Warner, D-Va., and Cory Gardner, R-Colo.
- If the bill makes it through the Senate and gets signed into law, it would use the purchasing power of the federal government as leverage. It would mandate that the feds buy only devices that conform to security standards set by the National Institute of Standards and Technology (NIST). Those standards will be required to cover secure development, identity management, patching, and configuration management — long considered security fundamentals.
- It also orders the Office of Management and Budget (OMB) to issue guidelines that conform to the NIST recommendations and to review and possibly update them at least every five years.
- It doesn’t call for a heavy regulatory hand — it tells vendors what to do but not how to do it. It doesn’t even tell them they have to do anything. The simple message is: We won’t buy from you unless you do.
But it would be the first time that the federal government has implemented IoT standards with some economic teeth in them. As James Lee, chief operating officer of the Identity Theft Resource Center, puts it, the federal government “has a lot of market clout.”
“The U.S. government buys about $1.2 trillion of goods and services each year — 60% on defense,” he said, noting that “most states also follow federal standards when making purchases, adding to the incentive to meet a NIST standard.”
- The definition of devices covered by the law — an area where legislative language frequently has far too much wiggle room — has a measure of specificity. Devices covered by the law must have “at least one transducer (sensor or actuator) for interacting directly with the physical world, (and) have at least one network interface.”
That definition isn’t entirely airtight, however. Chris Clark, principal security engineer, strategic initiatives at Synopsys, notes that “the definition of an IoT device is followed by a list of exclusions and a process for modification of the definition.”
- It also directs NIST to develop guidance (with the help of experts) on coordinated vulnerability disclosure policies, and it requires contractors and vendors that want to sell IoT devices to the federal government to adopt those policies. No more keeping vulnerabilities secret, in other words.
But again, that doesn’t necessarily mean everything is good.
First, it has taken more than three years to get the legislation through just one house of Congress. The bill that cleared the House was first introduced in 2017, and died. It took two years for it to be reintroduced. It didn’t take final form until earlier this year, after NIST issued recommended standards this past March. Then it took another six months to get it to a vote.
And obviously, given that it’s an election year and Congress is consumed with other, more high-profile battles, the odds are not great that this version will make it to the president’s desk. Even if it does, most of the key provisions of the bill won’t take effect for six months to two years after it becomes law.
That’s enough time for multiple generations of IoT devices to be introduced, for the IoT to explode from an estimated 8.4 billion connected devices to the current estimated 31 billion, and for cyberthreats to evolve as well.
All of which might seem to support the contention by some experts that government bureaucracy is simply too cumbersome and slow to keep up with a market that moves as explosively as this one. Figuratively speaking, it sounds like a horse and buggy trying to keep up with a Ferrari.
But Lee says this is nothing new — technology has always moved faster than laws and regulation. He notes that the Interstate Commerce Act, meant to regulate railroads, came six decades after the first railroad was built; that the first U.S.-manufactured car was sold in 1896 but the first traffic signal didn’t show up until 1913; and that the Computer Fraud and Abuse Act of 1986 came nearly 20 years after the first attacks against modern computer systems.
“That is the very nature of innovation, so by historical standards, we’re right on time if not early,” he said.
Also, if the bill does pass it will allow, relatively speaking, more rapid response. As threats and security best practices evolve, NIST and OMB can simply update the standards rather than having to return to Congress to seek an amendment to the law.
Lee said even if the bill doesn’t become law this year — and he thinks the chances of that are slim — NIST is now taking comments on draft IoT security guidelines for manufacturers. “The underlying work anticipated in this bill is almost done,” he said.
What data protection?
Still, even after three-plus years and multiple revisions, it doesn’t appear to cover all the bases yet.
One of the primary security and privacy risks with IoT devices — indeed, with any device, system or network connected to the internet — is the collection, storage, and sharing of data from users or customers, including personally identifiable information (PII), credentials, and payment information, not to mention purchasing patterns, location information etc.
But the four main areas (noted earlier) that the bill requires NIST to address don’t include data protection, either at rest or in transit. And among security fundamentals in a connected world is rigorous encryption of data so that, even if it’s stolen, it’s worthless.
Boris Cipot, senior security engineer at Synopsys, said even data that seem to be insignificant, like that produced by a smart light bulb, can put a user in physical danger.
“What if I am an attacker and collect such data to see what your usage pattern is to see when you are at home and when not?” he said, adding, “All data is worth protecting.”
Lee is confident the issue will be addressed by NIST in its development of a standard. “I suspect any final NIST standard will do so. It’s in the current draft (of security recommendations for IoT devices),” he said.
Clark said the lack of any explicit directives on data protection demonstrates that the bill “doesn’t look at the issue of cyber security holistically.” But he agreed that NIST can include data protection requirements like that in its standards recommendations. “That is the nature of standards development,” he said.
Regarding vulnerability disclosure policies, Cipot said the “coordinated” piece of it is important. “If a vulnerability isn’t publicly known and isn’t already being exploited by hackers, the manufacturer needs to be given some time to create a patch or update before being required to make it public,” he said.
Of course, disclosing a vulnerability with a patch available doesn’t guarantee that every user and customer will install it. Perhaps the most infamous example of that is the catastrophic 2017 breach of credit reporting giant Equifax, enabled by the company’s failure to install a patch for a vulnerability in the Apache Struts open source web software — a patch that had been available for two months before the breach.
And Equifax is not an outlier. Lee calls the provisions of the current bill regarding disclosure “a good start,” but notes that “vulnerability and patch management has been an issue with IoT devices from the beginning.”
“The federal government, like every other software-dependent enterprise, already struggles to patch known flaws on a timely basis. More notices do nothing to help speed up the patching cycle for agencies and may, in fact, lengthen it,” he said.
And then there are exemptions — another frequent reality in the sausage-making process of legislation. In this bill, they go beyond exemptions to definitions.
Larry Trowell, associate principal consultant at Synopsys, points to one of them. The bill would allow the head of an agency to ignore the “policies, principles, standards, or guidelines” in the law for a number of reasons, including if a device is “of substantially higher quality or affordability” than a product that meets the standards.
“That says, ‘if it’s cheaper to use a nonsecure version, use it,’” Trowell said, noting that it makes things no better than the current situation, where features and price trump security. “One of the key reasons people keep proposing legislation like this is that if customers wanted secure devices, the market would provide them as default,” he said. “Customers don’t, so they say we need government oversight, yet here in the proposed act we have a clause that states security is second to price.”
Cipot said he thinks the bill is going in the right direction, but that “the key to whether it will work or not is enforcement.”
And Lee said it’s important to remember that the real world is not a perfect world. “In a perfect world, self-regulation and enlightened self-interest is all that would be required to build bullet-proof cyber security into IoT devices,” he said.
“Absent that, a congressionally mandated, NIST-developed, and OMB-implemented purchasing standard is an elegant solution.”
But Clark said while government purchasing power is one incentive to improve security, there need to be others. “This includes the removal of lowest-cost bidding and provisions for innovation in cyber security methods and practices,” he said.