Still just recommendations, not regulation, for IoT security

Trying to secure the Internet of Things (IoT) makes herding cats look like a breeze. The IoT is rapidly becoming the Internet of Everything—billions of devices with an almost endless variety of designs and purposes, embedded in vehicles, homes, factories, critical infrastructure, health, fitness, finance, and more.

And for the large majority of those devices, software security isn’t just an afterthought. It’s not even a thought at all. Instead, the priorities for most organizations are adding features and getting their products to market faster than the competition.

                       Join the conversation in the Synopsys Community.

This is true even though there are now numerous sets of recommended standards and best practices available, from both government and private organizations, to improve IoT security.

This is true even though there have been regular warnings and exhortations about the risks of such a vast online attack surface ever since those not-so-long-ago days when there were only a billion or so connected devices. Now there are an estimated 8.5 billion, with 20.4 billion expected to be in use by 2020—less than 2 years away.

Some of those warnings came in a hearing nearly a year and a half ago before the House Committee on Energy and Commerce where several security experts said IoT security was a problem the market wouldn’t correct and that it was past time for the government to intervene.

“There is a fundamental market failure at work,” said Bruce Schneier, CTO of IBM Resilient. Lack of security is “a form of invisible pollution. And, like pollution, the only solution is to regulate,” he said.

Michael Fabian, principal consultant with the Synopsys Software Integrity Group, says that is still the reality. “Regulation, not voluntary standards, gains compliance,” he said.

But so far, IoT regulation is essentially nonexistent. None of the lists of standards and best practices for bringing at least a basic level of security hygiene to IoT—including those from the government—has the force of law.

And there is no evidence that’s going to change. The government’s contribution continues to be recommendations, not regulations. There are multiple examples:

• The Department of Homeland Security (DHS) published Strategic Principles for Security the Internet of Things nearly a year and a half ago, in November 2016. But it noted that the items outlined are “non-binding principles and suggested best practices,” which means they have no force of law and there’s no consequence for failing to follow them.
• Last August, Sen. Mark Warner (D-VA) filed a bill titled the Internet of Things Cybersecurity Improvement Act of 2017, which would, among other things, use government purse strings as an incentive, requiring that it purchase only IoT products that meet its security standards. But the last action on that bill was referral to the Committee on Homeland Security and Government Affairs on Aug. 1.
• This past October, Sen. Ed Markey (D-MA) and Rep. Ted Lieu (D-CA) co-sponsored a bill titled the Cyber Shield Act of 2017 that would launch “a voluntary program to identify and promote Internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes.” But note that it would be voluntary. And so far, it hasn’t even made it out of the Committee on Commerce, Science, and Transportation, never mind to the floor of either chamber.
• And just a month ago, the National Institute of Standards and Technology (NIST)—an agency within the federal Department of Commerce—issued its latest Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things. In the report, NIST calls for international standards to improve IoT security and joins the chorus of warnings that failure to do so will put not only consumers and enterprises but also national security at risk. The public comment period on the draft runs until April 18.

NIST noted that two presidential committees have said the same thing. The National Security Telecommunications Advisory Committee (NSTAC) recently declared that “there is a small—and rapidly closing—window to ensure that IoT is adopted in a way that maximizes security and minimizes risk.”

And the president’s Commission on Enhancing National Cybersecurity said in December 2016 that while the IoT “has the potential to revolutionize most industries and many facets of everyday life,” the potential harm from hackers (including hostile nation-states) to everything, including U.S. critical infrastructure, “is immense.”

NIST offers numerous recommendations to make connected devices secure and resilient. They are similar to those proposed by numerous other organizations that have called for better IoT security: encryption, digital signatures, cyber incident management, hardware assurance, identity and access management (IAM), IT system security evaluation, network security, security automation and continuous monitoring, software assurance, supply chain risk management, and system security engineering.

But it acknowledges that “despite known impacts of insecure software, the pace of adoption [of best practices and standards] is slow” in just about every major area of the IoT.

That’s probably because at least so far, legislators aren’t feeling much heat from their constituents on the matter. Larry Trowell, associate principal consultant in the Synopsys Software Integrity Group, said that without the force of law or regulation, the only way things will change is “if consumers begin to care and notice the security of the devices they buy. Until then manufacturers are likely to get away with as many security flaws as they can without affecting their PR.

“Having the information available is nice, but unless the consumers are willing to sacrifice more money for added security, I don’t see the program being effective,” he said.

Jesse Victors, consultant with Synopsys SIG, agrees.

“Consumers don’t buy products with privacy, data protection, or security standards in mind,” he said. “This is not their fault—it’s a complicated field, and they have neither the time nor the technical expertise to identify threats against the product. They just want them to work.”

Of course, the risks involved suggest that consumers ought to care. In some cases the damage could amount to major annoyances, like invasion of privacy, identity theft, or compromised credit cards. In other areas, however—such as if an attacker defeats the locks on a “smart” home or hacks into medical devices—the consequences could range from burglary to injury, illness, and death. Attacks on critical infrastructure could cause grid failures or environmental disasters.

And even if the Cyber Shield Act passes, nothing will happen quickly. The bill calls for the formation of yet another committee—a Cyber Shield Advisory Committee—which would then have a year to produce recommendations to the secretary of commerce.

Why not just use the NIST recommendations, or those of other organizations that are already complete, rather than establish another committee?

NIST wouldn’t comment. And neither Markey’s nor Lieu’s press offices responded to questions about the bill, including whether it had any chance of passage this year.

Zach Lanier, principal research consultant at Atredis Partners, said another committee is not necessarily a bad thing but that “it could be daunting for consumers, vendors, and organizations searching for guidance on building, securing, or procuring devices and solutions.”

The bill does propose an incentive for IoT vendors—one of them a Cyber Shield labeling program that sounds a bit like the programs from Good Housekeeping and Underwriter Laboratories (UL) and would certify products “that meet industry-leading cybersecurity and data security benchmarks to enhance cybersecurity and protect data.”

Trowell applauded the concept but said it still comes down to whether that matters to consumers. “Unless you can get the consumers to care about security, labeling won’t really be the market driver that the government wants or expects it to be,” he said.

Ersin Domangue, a security analyst at Independent Security Evaluators, agreed. He said labeling “relies on the hope that consumers would be educated enough to buy devices that adhere to these lists.”

And Victors said developers and vendors aren’t going to volunteer to spend more on security if consumers don’t care. “U.S. consumers may happily choose a cheaper Chinese-made and horribly insecure baby monitor over a more expensive U.S.-made and Cyber Shield Certified monitor that has the same features,” he said.

Lanier notes that Consumer Reports has begun to evaluate the security of IoT devices. But the effect, he said, is hard to predict. “I can’t recall a time I used Good Housekeeping or Consumer Reports as guides when making a purchasing decision,” he said.

There is general agreement, however, that while the Cyber Shield Act wouldn’t even come close to creating an impenetrable IoT shield, it would be much better than nothing—if it were enacted.

“Is it sufficient? No,” Trowell said. “But is it better than what we have now? Yes. There is a lot of ground to cover in securing IoT systems, and fixing the basic stuff would go a long way in that direction.”

And even though online threats evolve with blinding speed, Domangue said Cyber Shield’s call for benchmarks to be updated only every 2 years isn’t unreasonable.

“Specific threats do evolve faster,” he said, “but the principles of security are mostly static. So a benchmark that requires a company to have ongoing security evaluations to protect consumers would be highly recommended.”

Lanier also called it “a step in the right direction. Such standards, while not directly enforced by the government, are and may still continue to be the standards that industry and business follow,” he said.

Fabian said that the reality remains that a stick is more effective than a carrot when it comes to IoT. He noted that some companies looking to purchase IoT products include security requirements in their specifications. “That might as well be regulation as far as the vendor is concerned,” he said.

“But if it isn’t required in some way, you can’t trust vendors to do it.”