How Amazon and Walmart Could Fix IoT Security
Bruce Schneier Says Pressure on Retailers Could Fix Insecure IoT Supply Chains
IoT devices can be made cheaply and quickly. But as a result, they may lack adequate security features.
There's been a global effort by countries, standards organizations and corporations to improve the state of IoT security through voluntary baseline standards. Connected devices suffer from a range of issues, including insecure default configurations when they're sold as well as inconsistent patching by vendors.
But an IoT device isn't just one product. It's an assembly of components that come from a variety of manufacturers made in a variety of places. A security problem could be rooted in any of those components.
The question is how to enforce good security practices on IoT suppliers in places out of reach of U.S. regulators. In a new report, experts at the Atlantic Council say they have a solution: put the pinch on the U.S.-based retailers and distributors of products, who in turn will demand that their suppliers meet a higher standard.
Security expert Bruce Schneier, a co-author of the Atlantic Council's report, says IoT needs to be regulated for security, just like the nutritional content of baby food or the fire resistance of kid's pajamas is regulated.
"If we want to ensure some minimal security and safety standards in the United States, we have to impose that restriction on some U.S. entity," Schneier says. "The best place to do that is going to be the company that sells it to the consumer, so whether that is an Amazon, or a Walmart or some distributor."
There's growing concern that poor device security could cause calamities as connectivity is incorporated into vehicles, medical devices and critical infrastructure. The council report warns that the consequences could be fatal (see: Smart Devices: How Long Will Security Updates Be Issued?).
"Hacked thermostats can cause property damage," according to the report, which was also co-authored by Nathaniel Kim and Trey Herr. "Hacked power generators can cause blackouts. Hacked cars, traffic signals and medical devices can result in death."
The 'Reverse Cascade'
There's no enforceable standard for IoT in the U.S., the council writes. Even if IoT laws were more pervasive, those laws wouldn't be enforceable for manufacturers based in China, where the bulk of IoT devices are produced.
But some states have moved toward setting standards. For example, California's IoT law, SB-327, which went into effect in January, forbids the sale of devices that don't have reasonable baseline security measures. Oregon's IoT law, which also became effective in January, is similar to California's.
The Atlantic Council's report contends that regulations will nudge retailers and distributors to demand their upstream suppliers produce IoT devices and components that are secure. The council terms this technique a "reverse cascade."
There already are some examples of the reverse cascade working. For example, the Atlantic Council writes that Canadian civil society organizations pressured U.S. retailers Home Depot and Sears to enforce logging standards and conservation practices on Canadian logging companies. Also, the U.S. Defense Department required vendors to be responsible for good supply-chain practices by their suppliers.
There are clear pinch points. Best Buy, Walmart and Amazon sell the majority of consumer electronics in the U.S., the council notes. In its FY2019 corporate responsibility report, Best Buy notes it is already "working to establish a customer baseline of expectations in the area of security and privacy with respect to IoT devices."
With Wi-Fi routers - crucial IoT devices in nearly every home with internet access - regulations could apply to broadband providers. "Less than a dozen broadband providers, including such names as Comcast, Charter, AT&T, Verizon, and CenturyLink, serve all connected U.S. households, and the top three providers own more than half the market," the council writes.
Level the Playing Field
Schneier says that if "Amazon can't sell a router with basic security functionality, then they're not going to buy those routers, which means the companies that make those routers will lose the U.S. market unless they comply with the regulation."
It will be more expensive to build IoT devices with better security, Schneier acknowledges. But without regulation, the less secure devices will continue to be sold, and consumers won't know the difference, he argues.
"In order to level the playing field, you need a regulation - otherwise someone is going to defect," Schneier says. "Regulation is really important to level the playing field and allow for innovation and security. Lack of regulation is what's stifling innovation in cybersecurity."
There is some movement at the federal level in the U.S. Rep. Ted Lieu, D-Calif., and Sen. Ed Markey, D-Mass., introduced the Cyber Shield Act for the second time in October 2019. The act would establish a committee designed to ensure devices meet minimum cybersecurity standards, which would then get a label designating compliance.
Schneier isn't optimistic that Congress will take action. But he says even basic laws, such as those that California and Oregon have passed, and initiatives in the European Union have effects beyond their jurisdictions.
Manufacturers "aren't going to have two separate software builds, one for California, one for the rest of the country," he said. "Even I - who live in Minnesota - will benefit from this California law."