Few people would argue that cybersecurity is in a parlous state. In the last few weeks, we’ve seen a connected car wash and fish tank hacked respectively and a smart gun unlocked and fired thanks to a magnet at the latest DefCon.
In response to the problem, a bipartisan group of U.S. senators has put forward new legislation to address the security problems of the Internet of Things. The new bill, introduced on Tuesday, would require vendors that provide connected equipment to the U.S. government ensure products are patchable and meet industry security standards, according to Reuters.
The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 is backed by the co-chairs of the Senate Cybersecurity Caucus — Democrat Mark R. Warner and Republican Cory Gardner, as well as Democrat Senator Ron Wyden and Republican Senator Steve Daine.
“My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products,” Warner said.
The new bill would require a contractor providing an Internet-connected device to certify that it does not contain “any hardware, software, or firmware component with any known security vulnerabilities or defects” listed by the US National Institute of Standards and Technology’s National Vulnerability Data. Devices would have to be certified to be capable of “accepting properly authenticated and trusted updates from the vendor” and use “only non-depreciated industry-standard protocols and technologies” for functions such as network communications and encryption. Further, a contractor must certify that the device “does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates or, communication.”
Devices would have to be certified to be capable of “accepting properly authenticated and trusted updates from the vendor” and use “only non-depreciated industry-standard protocols and technologies” for functions such as network communications and encryption. Further, a contractor must certify that the device “does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates or, communication.”
The Insecurity of Things: A Brief History
Security and Privacy in Your Car (SPY Car) Act
Current efforts are not the first attempt at legislation to address the security problems of IoT. In 2015 and again in March this year, Senator Ed Markey introduced the Security and Privacy in Your Car (SPY Car) Act, legislation that would direct NHTSA and the Federal Trade Commission to establish federal standards to secure our cars and protect drivers’ privacy. The SPY Car Act also establishes a rating system — or “cyber dashboard”— that informs consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards. It further requires that every vehicle give “clear and conspicuous notice” to the driver about what driving data is being collected, if it’s being transmitted or saved, and how it’s being used.
FTC case against TrendNET
The Federal Trade Commission (FTC) released a report into IoT privacy and security in early 2015 which detailed the issues and issues a series of recommendations for companies developing IoT devices. These included the recommendation “that vendors monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.”
Several of these principles alluded in the FTC report are illustrated by the Commission’s first case involving an Internet-connected device. The FTC filed a complaint against security camera maker TrendNet for allegedly misrepresenting its software as “secure.” In its complaint, the Commission alleged, among other things, that the company transmitted user login credentials in clear text over the Internet, stored login credentials in clear text on users’ mobile devices, and failed to test consumers’ privacy settings to ensure that video feeds marked as “private” would, in fact, e private.
As a result of these alleged failures, hackers were able to access live feeds from consumers’ security cameras and conduct “unauthorized surveillance of infants sleeping in their cribs, young children playing, and adults engaging in typical daily activities.The complaint came after hackers breached TrendNet’s web site and accessed videos from 700 users’ live-camera feeds — many of these videos were published on the Internet.
The case was settled with stipulations including requiring the company to obtain third-party assessments of its security programs every two years for the next 20 years. TrendNet were also required to notify customers about the security issues with the cameras and the availability of the software update to correct them, and to provide customers with free technical support for the next two years to assist them in updating or uninstalling their cameras.
Legislation, Education, or Self-Regulation?
Since then there has of course been a change of government and administration. Earlier this year the current head of FTC told The Guardian that the agency is “not primarily a regulator” and called for a wait-and-see approach to enforcement during a discussion at a conference of cyber security professionals Nasdaq.
For the last couple of years, a working group convened by the U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) has been developing guidance about ways for IoT device manufacturers to better inform consumers about security updates related to the devices. This is a key part of any IoT security protocols, particularly in regard to insecure devices already on the market. Further, what may be secure at present may further degrade without vigilance from customers.
How attentive are consumers willing to be? What about products purchases internationally? We’re currently in an era where a household may contain over 200 connected devices, each with their own specific security requirements. It’s not any better in enterprise, according to research earlier this year, almost half of all companies in the US using an IoT network have been the victims of recent security breaches,
We’re currently in an era where a household may contain over 200 connected devices, each with their own specific security requirements and varied life cycle. Even just cataloging all the connected devices in a single workplace could be a mammoth undertaking. Personally, I’m unconvinced a security minimum standards or rating system would work either, due to the sheer volume of connected devices emerging each year and the volatility of cyber security to new vulnerabilities. Will the current efforts of the Senate Cybersecurity Caucus lead to a trickle down effect to consumer law? How long would it take and how would it be enforced? Technology moves fast and it’s questionable whether the law can keep up.