Is It Time To Regulate the IoT?
US Senators just introduced new legislation to regulate the purchase of Internet of Things (IoT) devices. Why did they do it, and what chance is there of success?
The Internet of Things Cybersecurity Improvement Act would set minimum security requirements for federal procurements of connected devices. These include the ability to patch code, a lack of hard-coded passwords, and freedom from known security vulnerabilities.
Bruce Schneier, security author, CTO at IBM Resilient and fellow at Harvard's Berkman Klein Center for Internet & Society, is one of the people endorsing the bill. He will talk about the dangers of the IoT in his keynote session at SecTor this November.
IoT presents a real problem, says Schneier, because it is becoming so ubiquitous, and transforming the devices that we've relied on for years.
Computers are essentially disappearing into devices, he points out, meaning that the function of those devices is intimately linked with the code and the connectivity that lies inside them.
"Your car used to be a car with a computer in it. Now it really is a computer with four wheels and an engine," he says. "Just like your smartphone is a computer that makes phone calls."
The danger is twofold. Firstly, he worries that the commercial imperative to make devices cheaper tends to squeeze security out of the equation if you're not intentionally focusing on it. This is leading to an IoT filled with insecure devices. "We're giving the computers these new powers, and security isn't changing in a commensurate way."
Secondly, these computers increasingly affect the world in a real, physical manner, he points out, which makes them more dangerous still.
"It's no longer about data, it's about flesh and blood. It's your car, it's your thermostat, it's your heart defibrillator. The combination of these things—the increased criticality and the decreased security—means that we're going to see problems."
What will this insecure future of IoT look like? It's already here, he says. We have had successful demonstration attacks on voting machines, attacks on thermostats that demonstrated ransomware infection, and a series of successful test attacks on medical devices.
"Cars are the big worry. They're these big one ton metal objects hurtling at people at speed," he says. We've already seen successful demos there, too. He points to attacks on power grids, and mentions aircraft as potential targets. Security researchers have already uncovered many aviation backdoors.
"It's hard to know when it's going to happen, but nobody doubts that it will," he warns.
What can we do about these problems? He argues that self-policing isn't really an option because it hasn't worked well in the past.
"I see one of the biggest failures as the market failure," he says. The insecure devices keep on coming, as other SecTor speakers have demonstrated repeatedly.
The time for regulation is now, Schneier says, pointing out that governments have been involved in other areas affecting public safety, ranging from food through to transportation and buildings.
"None of these were achieved without government intervention. Zero. So computers aren't going to magically be different," he says. "We really need to starting thinking about intervention, or the market failure is going to be catastrophic here."
Until now, the few noises that the government has made about IoT security haven't meant much, Schneier complains.
"They don't go far at all. They don't do anything. There are little, minor things," he says. "The stuff I am saying will make industry unhappy, and in the US, we can't make industry unhappy. Until we can, we're not going to solve it."
The new Bill may shake things up a bit. In addition to laying out specific security requirements, it also asks for third party certifications and mentions the National Institute of Science and Technology (NIST) as one of the organizations that will determine those standards.
NIST published its own standards describing how to develop secure connected systems from the ground up last year. Special Publication 800-160 was pushed out early after the Mirai botnet debacle.
This new proposed legislation only applies to federal procurements, though. Those companies not going after the federal market—including those selling consumer items such as home thermostats and webcams—may not care about it. It doesn't have the same muscle as regulations that strictly control our what vehicles or medical devices might be sold, say.
The bill also allows non-compliant devices to be used in federal environments if there are other security measures to accommodate them.
Would the government have the muscle to push through a tougher, more widespread approach to IoT security, given its current weaknesses? The US legislative branch is in crisis mode as it tries to deliver on basic promises like healthcare reform. The House leader and the President are in open conflict. Things aren't looking good.
"It might not be possible, especially in the US which has this anti-government phobia, almost," says Schneier. "In a sense I look towards Europe and countries like Canada as possible ways to solve the problem, because I see the US as completely dysfunctional here."
Along with others in the industry, he testified before Congress about the IoT cybersecurity threat last year. But then, the government doesn't seem to be that good at actioning early warnings.
18 years earlier, members of LoPHT, including SecTor speaker Chris Wysopal, testified about the dangers of security on the Internet. Since then, millions have fallen victim to online data theft.
This time around, will we get it right?