The Federal Government Wants IoT Security to Improve
Matthew Rosenquist
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
The Internet of Things Cybersecurity Improvement Act of 2017 is proposed legislation intending to require basic best-practices for cybersecurity when the government is looking to purchase products. It imposes certain design requirements and capabilities to enhance overall security.
It includes nontrivial vendor constraints things like:
- Vendors cannot release products with known vulnerabilities.
- Systems must be architected so they can be patched in the future when new vulnerabilities are discovered.
- Designs are prohibited from embedding fixed passwords that cannot be reset or changed.
Sadly, these are basic, yet not being consistently followed by the Internet-of-Thing (IoT) manufacturing industry. It saddens me that we must resort to legislation to enforce common sense cybersecurity practices. In my opinion, the technology industry has an ethical and business responsibility to provide customers with at least rudimentary capabilities to support security, privacy, and safety.
This legislation, if approved, will put limitations on what systems the U.S. government can consider procuring. Therefore, vendors who want such customers will need to be more responsible when it comes to designing in security to their products.
Recently the U.S. Army has ordered troops to stop using drones made by a major Chinese manufacturer, citing cyber vulnerabilities.
I support good security practices but in general feel legislation is a poor safety-net to make them commonplace. It shouldn’t be necessary. Sadly, I recognize that when the industry ignores the basics, market customers such as governments, may be forced to set their own standards for purchases.
I expect other governments and sectors like finance, healthcare, and critical infrastructure to also incorporate these guidelines in their procurement requirements. If other markets follow suit, it may be a harsh wake-up call for IoT vendors that security is as important as quality.
Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Steemit to hear insights and what is going on in cybersecurity.
Information Security Analyst at Adventist Health
7 年Bruce Schneier in one of his talks mentioned legislative mandate will be the only solution. It's sad but I believe he is correct. Manufacturers would rather use an existing proven module with a known vulnerability than invest in the extra overhead to find a better product that will also cost more. I'd recently watched a few black hat keynotes and one of the things I saw is that a ton of competing products all use the same basic logic modules making all the like devices susseptible to the same vulnerabilities.
MES Design Engineer at Sepasoft, Inc.
7 年Agreed. Industry standards are preferred over government mandates.
Senior Security Analyst
7 年It's sad if we think making a system patachable, or being able to change a default password,and the like are extraordinary security measures. These kinds of practices or really the lack thereof are a few steps backwards. If this is where the discussion is starting then there is a long way to go.
IT Manager, CISSP
7 年The main issue is consumer education on security needs. The average consumer does not have the time to conduct in-depth analysis of each IoT product that they intend on purchasing. A possible opportunity is for companies to submit their products to certain organizations that can do basic pen testing on the products to achieve a certain certification level, which is valid for X years, conditional on the company being willing to patch the product to maintain certification. It won't be a foolproof method, but should draw additional scrutiny towards the security that a product offers versus its competitors.