IoT Security Bill Calls For Intense Vetting, Vague Solutions



Dan Gunderman
11/14/2017

An uptick in cyber-crime worldwide has security professionals on high alert. That concern is twofold with internet-connected devices posing DDoS threats.

It seems the U.S. government is attempting to mediate on this issue, by proposing a bill to secure devices connected to the web, in the expansive network called the Internet of Things (IoT). Spearheaded by Senators Mark Warner (D-Va.), Cory Gardner (R-Colo.), Ron Wyden (D-Ore.) and Steve Daines (R-Mont.), the bill aims to tighten security on IoT devices, to begin setting the standard in device security as it affects federal agencies and their purchases.

As a whole, the bill – called the Internet of Things (IoT) Cyber Security Improvement Act of 2017 – is not being described as forceful enough to alleviate the IoT DDoS threat in its entirety, but it stands as a gateway to stricter or more visible legislation. In some circles it has been described as “Goldilocks” IoT legislation, meaning its components are not oppressive, but also not too lenient.

Previously, governments worldwide have had trouble rolling out these security measures – either because of their overhead or inability to effect change. While some have made inroads in the security vertical, much of the progress is in visibility, not direct enforcement.

There have been breach disclosure measures – which apply to reeling enterprises – along with presidential instructions to reinforce networks and data, etc. There have even been more stringent laws – take for example GDPR and HIPAA – mandating a unified and widespread cyber security system.

Yet, there appears to be no touchstone measure that, as applied, is both universal and practical. Will the IoT Cyber Security Improvement Act light the way for future change? At the very least, it appears poised to set the parameters for devices beneath the watch of the Office of Management and Budget (OMB).

See Related: IoT A Top Security Concern For The Enterprise

The bill requires the OMB to set standards for federal agencies. According to Dark Reading, if passed, IoT devices would need to be vulnerability-free, as defined by the NIST National Vulnerability Database. Devices would also require software and firmware components receptive to vendor patches.

The bill also requires devices to be operational under acceptable communication, encryption and interconnection standards. What’s more, hard-coded credentials would not be included for the delivery of updates and messages. If vulnerabilities are discovered, a means for notification and disclosure must be established. These devices would also have to be patched and/or repaired promptly.

The bill would also require agencies to create inventories of IoT devices – with monthly updates. They would also have to report which devices are without support or have liability protections.

The troubleshooting and testing conducted by cyber security researchers would also open up some under the new bill, as those testing vulnerabilities are allocated more freedom. That is, certain exemptions would be made for researchers regarding the Computer Fraud and Abuse Act (CFAA), which states that those accessing a computer without authority and causing “harm” are committing a crime.

The well-intentioned CFAA set out to outline repercussions for cyber-crime. Yet it has also hindered researchers’ abilities to test for weaknesses in software and devices. This attempt to adjudicate cyber security turned out to limit research potential, as cyber thieves do not adhere to the law anyway.

See Related: Managing The Intersection Of Cyber Security And IoT

In the 2017 bill, security researchers testing federal agencies’ IoT devices “in good faith” will be able to skirt the CFAA and the Digital Millennium Copyright Act (DMCA) to carry out their duties. These researchers are still subject to libel charges if they publish false results.

On defining an IoT device, the 2017 bill becomes a bit vague, describing it as any physical object with data processing capabilities that is able to connect to the internet.

Manufacturers can be exempted from the measure if they disclose vulnerabilities and mitigation steps, along with a “justification for secure use.” Devices with limited functionality may also be exempted if they are far too “impractical” to secure.

This comes as botnet and DDoS threats continue to proliferate (recently, there was the menacing “Reaper” botnet threat along with the 2016 attack from the Mirai botnet, lassoing in devices running Linux).

The proposed bill would ostensibly set new standards in IoT security, despite its limited scope in certain areas. It could serve as a bridge to further security measures that, when translated to the enterprise, could be a sure-fire way to build defense and prevent DDoS attacks.