The Reverse Cascade: Enforcing Security on the Global IoT Supply Chain

N. Kim, T. Herr, and B. Schneier

Atlantic Council, June 2020.


The Internet of Things (IoT) refers to the increasing convergence of the physical and digital worlds. Hundreds of “things” are being connected to the Internet and each other, with more than fifty billion devices expected to be connected by 2030. These devices vary from Internet-connected power-generation equipment to wearable health trackers and smart home appliances, and generally offer some combination of new functionality, greater convenience, or cost savings to users.

Cybersecurity is now a relevant concern for even the most mundane household objects—smart electric kettles can be set to explode, while compromised smart toys might eavesdrop on private conversations.”

As with all benefits, IoT also comes with serious risks, with impacts ranging from individual consumer safety to national security. IoT gives computers the ability to directly affect the physical world: toys, small and large appliances, home thermostats, medical devices, cars, traffic signals, and power plants. This transfers the traditional computer risks to these devices. Cybersecurity is now a relevant concern for even the most mundane household objects—smart electric kettles can be set to explode, while compromised smart toys might eavesdrop on private conversations. Hacked thermostats can cause property damage. Hacked power generators can cause blackouts. Hacked cars, traffic signals, and medical devices can result in death. IoT devices taken over en masse can be used for distributed denial-of-service (DDoS) attacks, paralyzing critical Internet resources and corporate websites with a flood of Internet traffic. In April 2020, a security firm observed a botnet emitting a Linux malware known as “Kaiji” using SSH brute-force techniques to target IoT devices. Examples such as these suggest that attempts by both criminals and governments to exploit vulnerabilities in insecure IoT devices will only increase. The result of these insecurities is an emerging national security threat likely only to grow without substantial countering action.

These attacks are all the byproducts of connecting computing tech to everything, and then connecting everything to the Internet. They are made substantially more frequent and impactful by the poor state of security practice across many segments of IoT manufacturing and design. While the IoT needs reliable security throughout its ecosystem, the unsecure devices that make up the billions of nodes within that ecosystem are a significant part of the problem. Many vendors bring insecure or poorly configured products to market in response to competitive pressures and lack of clear secure-development standards. A variety of policies and best practices have been proposed, but all remain voluntary and have failed to stem the tide of insecure IoT. Cheeky Twitter feeds such as @InternetofShit offer endless one-liners about Wi-Fi-connected toasters, refrigerators, and adult toys, but the real downside is a diffuse, but growing, risk to public safety and the security of data.

Problem: Many IoT devices are manufactured abroad, and many of these products are extremely low cost with little consideration made for security.”

Problem: Many IoT devices are manufactured abroad, and many of these products are extremely low cost with little consideration made for security.

The economics of IoT favor low-cost products. Unlike computers and smartphones, security isn’t prioritized in the development process for IoT products. They are often designed under contract for the company whose brand is on the finished product. The design teams are temporary for the design process, and don’t stay together through the product’s lifecycle.

The United States has limited means to enforce its standards in foreign jurisdictions, like China, where the bulk of IoT products are manufactured. There is nothing inherently untrustworthy or insecure about foreign manufacturing; individual firms and product lines are much more fruitful levels to analyze in establishing good security practices from bad. Importantly, however, the United States has few tools to enforce its security standards on manufacturers located abroad. Thus, companies with poor security practices outside the United States create a challenge for established regulatory tools. Policymakers would benefit from more coherent and detailed IoT security standards, but what’s urgently needed is a mechanism to enforce these standards abroad. A coherent set of standards and associated enforcement action against manufacturers throughout global IoT supply chains could well “lift all boats” and address IoT insecurities, which can impact the United States even when the devices themselves are well abroad.

This paper proposes to apply regulatory pressure to domestic technology distributors to drive adoption of security standards throughout their supply chains. This reverse cascade enforces standards back to foreign manufacturers by preventing domestic sale or distribution of products that don’t adhere to the standard. The reverse cascade’s effectiveness is amplified where these supply chains are unusually concentrated in a single or small handful of firms. This approach addresses US regulators’ limited influence in foreign jurisdictions and relinquishes the need to monitor hundreds, if not thousands, of overseas manufacturers directly.

This attempt to squeeze an upstream participant in a supply chain is not unprecedented. In the 1990s, Canadian civil-society organizations successfully used pressure on US home-goods companies like Sears and Home Depot to enforce a set of public standards for logging practice and conservation on Canadian logging firms. Much more recently, the US Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program adopted a requirement for prime vendors—large firms with many subsidiary suppliers—to be responsible for the adoption of good supply-chain security practices by their suppliers. In the CMMC model, rather than force the DoD to map complex supply chains two or three steps removed from the end product, prime vendors are leveraged to enforce standards directly on their supply chains.

This paper will

  • briefly summarize previous approaches to IoT security;
  • outline the challenge of enforcing domestic standards on a globalized supply chain;
  • develop and apply the reverse cascade to the case of Wi-Fi home routers; and
  • make specific recommendations for the United States and the EU.

[full text - PDF (Acrobat)] [full text - HTML]

Categories: Miscellaneous Papers

Sidebar photo of Bruce Schneier by Joe MacInnis.