The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 aims to mitigate risks and increase security in IoT products. Does it stand a chance?
New legislation proposed this month in U.S. Congress seeks to mitigate the risk of botnets commandeering Internet of Things (IoT) devices used in the U.S. government. The Internet of Things Cybersecurity Improvement Act of 2017 is a proposal from Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-WA) and Steve Daines (R-MT). It aims to mitigate risks and increase security in IoT products. The bill is limited to U.S. government-purchased devices. Since the U.S. government is such a large consumer, it is reasonable to assume that these improvements will eventually find their way into commercial products as well.
Regarding cyber security, Warner told Recode, “You’ve got to constantly be upgrading your game. And what we’re saying with Internet of Things devices is, if you’ve got hard-coded passwords or they’re not able to be patched, because they’re cheaper or smaller devices, that can’t be standard protocol.”
This is not the first time new legislation that has focused on IoT. In March 2016, U.S. Sens. Deb Fischer (R-NE), Cory Booker (D-NJ), Kelly Ayotte (R-NH), and Brian Schatz (D-HI) proposed the Developing Innovation and Growing the Internet of Things (DIGIT) Act, which drew little attention. The bill was reintroduced for the 2017–18 Congress. It seeks to define what is included within the Internet of Things. It also seeks to examine how to better deliver IoT services to the public. However, it does so without specifying implementation strategies, especially regarding testing and security.
DIGIT aims to establish various working groups to foster the innovation needed for the economic activity associated with the proliferation of IoT in the coming years. It lists five aspects of the Internet of Things:
It also aims to set up global interoperability standards so that devices can work within any market. It provides only a framework, not specifics.
In contrast to DIGIT, the Internet of Things Cybersecurity Improvement Act of 2017 calls out specific problems with unchecked proliferation. Last year the use of default passwords in IoT devices resulted in the creation of a massive botnet, Mirai. In October 2016, a massive distributed denial-of-service (DDoS) attack targeted DNS provider, Dyn, in the United States and OVH in Europe. The attack leveraged thousands of compromised internet-based surveillance cameras. The result was hundreds of popular websites (Twitter and Reddit, among them) being inaccessible for several hours. A similar attack, also using Mirai, was launched a few weeks later against Deutsche Telekom.
The proposed IoT cyber security legislation addresses the rampant use of hard-coded passwords. It also includes a clause requiring a contractor providing any internet-connected device to provide written certification that the device does not contain any hardware, software, or firmware components with any known security defects. For a list of known defects, the legislation cites the National Vulnerability Database (NVD, produced by the National Institute of Standards and Technology, or NIST) and “any additional database selected by the Director that tracks security vulnerabilities and defects.”
“While I’m tremendously excited about the innovation and productivity that Internet of Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Sen. Warner in a press release. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
Writing in Lawfare, Nicholas Weaver, of University of California, Berkeley, said, “The legislation focuses on creating a set of standards for devices installed in U.S. government networks. This makes the bill unlikely to face significant anti-regulatory opposition while it creates de facto standards that perhaps many device makers—not just those with products in government networks—will eventually adopt.”
While requirements for government-purchased IoT devices are basic (i.e., they reflect commonsense practices such as “Don’t sell things with known security flaws”), the legislation could provide organizations selling those devices with an important baseline. For those purchasing devices, it would start to define procurement expectations. Synopsys has a free, interactive procurement document that organizations can use today to begin securing their cyber supply chain.
For cyber supply chain testing, Synopsys provides a variety of tools. Coverity static application security testing (SAST) checks source code for common weakness enumerations (CWEs). Additionally, Black Duck software composition analysis (SCA) checks source code and binaries for common vulnerabilities and exposures (CVEs) in third-party code.
What about unknown vulnerabilities? Under the new legislation proposal, white hat researchers looking for vulnerabilities in IoT devices would be exempt from liability under the Computer Fraud and Abuse Act and the Digital Rights Millennium Act. Sen. Wyden said, “I’ve long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act. This bill is a bipartisan, common sense step in the right direction. This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company.”
The proposed legislation also directs the Department of Homeland Security’s National Protection and Programs Directorate to provide coordinated vulnerability disclosure guidelines for contractors. Responsibly disclosing vulnerabilities to vendors is a concern, as many do not get disclosed to the public. Providing a means by which the industry can also see how many vulnerabilities there are, and of what type would benefit all.
In February, security expert Bruce Schneier addressed RSA Conference 2017 with a call for IoT regulation. “I’m not sure the alternative is viable anymore,” Schneier said. “I think governments are going to get involved regardless, the physicality of the problems will get them involved. First the courts will set precedent then there will be torts. Nothing regulates the U.S. government like fear.”
In a statement regarding the new legislation, Schneier said, “The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his cosponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government.”
For additional guidance, Schneier has compiled a helpful list of IoT best practices from a variety of sources.