Recent government cybersecurity initiatives assume that the federal government has a role to play in securing the IoT and critical infrastructure. Does it?
The original version of this post was published in Forbes.
The idea that the U.S. federal government could play a dominant and effective role in protecting the nation from malicious cyberattacks on everything from Internet of Things (IoT) devices to critical infrastructure to election voting systems might strike some people as absurd.
Its catastrophic security failures are well known.
But the feds are going to try anyway. We won’t try to count all the pending security initiatives, but here are three of the most recent:
President Trump’s proposed budget seeks nearly $11 billion for cybersecurity. And while, like all proposed presidential budgets, it is pronounced “dead on arrival” in Congress, those line items probably have a better chance than most of surviving. Cybersecurity is one of few things that has broad bipartisan support.
The requests include $9.6 billion for Department of Defense (DoD) cyber operations—not just for defense but for offensive operations as well by U.S. Cyber Command.
Another $1 billion is earmarked for the Department of Homeland Security (DHS) to protect federal networks and critical infrastructure, including elections equipment.
A bipartisan group of senators and House members has reintroduced a bill to improve on the glaring, ubiquitous insecurities of IoT devices. The IoT Cybersecurity Improvement Act of 2019—an updated version of a similar bill filed in 2017—proposes to leave the details about how manufacturers and vendors should improve the security of their products to the National Institute of Standards and Technology (NIST).
But it would, according to a press release from Sen. Mark Warner, D-VA, “require that devices purchased by the U.S. government meet certain minimum security requirements.”
The DoD’s Defense Advanced Research Projects Agency (DARPA) has signed a $10 million contract with Oregon-based Galois to design a secure, verifiable and transparent voting system that it hopes will be bulletproof to hackers.
The transparency will come through the system generating a paper trail—the record of votes won’t be just digital.
As Motherboard reported, DARPA hopes the security will come through using secure, open source hardware, publishing the source code for the software online and bringing prototypes to the DEF CON Voting Village this summer and next, to let hackers try to find bugs or other vulnerabilities in them.
The agency also plans to have some university researchers test the systems during the coming year.
The Galois prototypes won’t be sold commercially but will be made available for existing voting system vendors or others to “adopt and customize without costly licensing fees or the millions of dollars it would take to research and develop a secure system from scratch.”
So is this the role government ought to be playing? Do those initiatives have a chance of bringing more robust security to the IoT and critical infrastructure?
Well, it’s complicated. Kevin Fu, chief scientist at Virta Labs, testified in late 2016 before Congress along with Bruce Schneier, CTO of IBM Resilient, in favor of government regulation of the IoT.
Both said at the time that the rampant insecurity of IoT devices was due to “a market failure” and that the only solution was government regulation.
That hasn’t happened yet, and Fu hasn’t changed his mind. “The real problem is market failures and need for government intervention,” he said, regarding not only the IoT but the other infrastructure and systems that are now computerized and connected.
“I’m less and less confident that the market will self-regulate,” he said, adding that security “needs to be built in, not bolted on” to the billions of devices, systems, networks and machines now controlled by software.
Fu said he supports the legislation calling for NIST to set security standards. “I almost always think NIST is right when it comes to standards,” he said. “They’re experts at computer security in general, so they should be front and center with a directive and a budget.”
But don’t expect NIST to enforce whatever standards end up being developed. “They’re not a regulator—they’re not the police,” he said.
Dan Waddell, senior vice president of Zeneth Technology Partners, which provides cyber products and services to federal and commercial clients, agrees that government needs to be involved and the current initiatives are good ways to do so.
He noted that “many federal systems now operate on networks owned and operated by the private sector while NIST’s Cybersecurity Framework (CSF) has adoption across multiple domains including .gov and .com.”
Indeed, given that technology crosses all sectors, private and public, “it’s no longer who owns what anymore. The lines have become extremely blurred,” Waddell said.
It is not just the federal level, either, where governments are getting involved. Danny Ogburn, senior director, business process management, at Synopsys, noted the California Consumer Privacy Act of 2018, which is spawning copycat legislation across the U.S. “[It] creates an EU (European Union) style approach to data privacy, and creates a statutory damage/liability for breaches,” he said. “If businesses do not manage the risk, data protection authorities will do so, through any legal means.”
Of course there is no way to tell how much these initiatives, however well intended, will reduce the risks of catastrophic attacks. As the saying goes, that remains to be seen.
“It’s going to be long process,” Fu said. “I don’t see bad guys or malfeasance, but systems aren’t aligned in a way to give consumers what they need. Consumers don’t have choices (to buy secure devices).
“But if we don’t put standards in place, this market could collapse. It’s not going to be sustainable,” he said.
Waddell said he would like to see bug bounty programs expand—especially those that involve both the public and private sector. He pointed to the 2016–17 “Hack the Pentagon” program as an example. In that program, more than 600 researchers reported more than 3,600 vulnerabilities to the DoD.
“Let’s continue to encourage this type of ethical crowd-sourced hacking on IoT and critical infrastructure,” he said.
And he agrees with Fu that security is a journey. “We shouldn’t be treating cybersecurity as an all-or-nothing approach,” he said. “Embrace risk management, prioritize your most critical assets and work to reduce the likelihood and impact of breaches.”