We’re more connected, but less secure. Internet of Things (IoT) technology is dramatically outpacing regulation. While only phones or computers were previously web-connected it’s now cars and toasters and video cameras and door locks. Many of these devices are connected without much regard for their security ramifications, so government legislation is finally catching up. One important bill in Congress, the Internet of Things (IoT) Cybersecurity Improvement Act, would add significant security requirements for government vendors. It would go a long way toward improving IoT security. What would it do and what does it mean?
What is the IoT Cybersecurity Act?
At a glance, the IoT Cybersecurity Improvement Act sets new purchasing requirements for government agencies. Specifically, agencies would be required to include an assortment of clauses in their purchasing contracts that mandate higher security standards for internet-connected devices.
Why it matters
Internet-connected devices are growing exponentially, from 23 billion in 2018 to a forecasted 75 billion in 2025. Many recent hacking events could have been prevented by cybersecurity strategies like those employed in this bill:
- In October of 2016, an attack shut down Internet for much of the Eastern seaboard by employing a coordinated effort of internet-connected devices, including baby monitors and webcams.
- Part of the recent Equifax breach can be traced to their use of the word “admin” as a username and password.
Internet downtime can cost a company upwards of $100,000 per hour. The Equifax breach revealed sensitive information of 143 million Americans. If these are the impacts when a private corporation is attacked, it’s clear why the government needs to get ahead of them.
What the IoT Cybersecurity Improvement Act Does
This bill would mandate a variety of clauses in relevant purchasing contracts signed by government agencies. These clauses fall into two categories:
- Verifications–claims the vendor would be required to make about their device
- Behavioral requirements–security practices that the vendor would be required to complete
Any vendor selling an internet-connected device would have to affirm that the device:
- Does not contain any known security vulnerabilities
- Uses industry-standard technology for security and communication
- Can be securely accessed and updated by the vendor
- Doesn’t have any fixed or hard-coded credentials
After the device is provided to the government, the vendor would be required to:
- Notify the government if they later learn of a vulnerability
- Update devices to ensure their security
- Repair or replace devices, should there come a security need
- Provide information on continuing security support, including a support timeline and notification when support ceases
While the motivation behind some of these stipulations is relatively clear, others require some explanation. Let’s tackle three that could use some explanation.
1. Hard-coded credentials.
Imagine if every iPhone could be accessed by the same password. No matter how secure an individual made their personal password, a hacker who knew this skeleton key would still be able to break in. Tim Cook, Apple’s CEO, has called such a possibility “dangerous” and “chilling.”
Hard-coded credentials are just that: a username and password built into the machine. They fundamentally can’t be changed, meaning anyone who knows them can access the system forever. Many vulnerabilities have been exploited because individuals never changed their default password. Even more dangerous is this sort of hard-coded backdoor, because the user is unable to remove the vulnerability. Since the government may purchase thousands of units of each internet-connected device, a single back door could pose a massive security risk. Specifically, here’s what the government is mandating:
- “[The device does] not include any fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication.”
2. Access & Updates
The government has been using internet-connected devices before; why are they only now mandating they be updatable? What’s changed? In a word, the device longevity. Phones and computers can have two-or three-year timelines. While cybersecurity can predict many short term threats, many new internet-connected devices have 15 or 20 year life spans. These updates would allow the government to keep pace with threats over a much longer time horizon. Without the ability to update, a vulnerability could go undiscovered for years and, even after it’s found, still be unfixable. If this bill passes, government purchasing contracts will include:
- “A clause that requires such Internet-connected device… to be updated or replaced… in a manner that allows for any future security vulnerability… to be patched.”
3. Continuing Security Support
If you’ve ever tried to track a warranty or service plan–like taking your car in for maintenance whenever it comes due–multiply that by thousands and make the requirements highly technical and you’ll see why the government mandate the vendors perform this tracking themselves. As IoT devices invade all areas of life, the government will be inundated with security considerations. They could employ a whole department and still be unable to juggle all the individual security timelines. Instead, they’re requiring the vendor to track and notify of these elements. Specifically, the vendors will be required to provide two types of information: a timeline for ending security support and formal notification when it ends. Not only would security support be provided by the vendor; this bill would mandate they manage the process, too. The bill would require that all vendors provide:
- “Information on the ability of the device to be updated, such as— the anticipated timeline for ending security support associated with the Internet-connected device;
- formal notification when security support has ceased”
As it’s written, this bill only raises security standards for vendors selling internet-connected devices to the government. It’s likely, however, to have broader effects:
Sets a precedent for more legislation
Many experts believe IoT security is years behind, so this legislation is only the beginning. As laws like it gain traction, they’re likely to inspire more, both in the U.S. and abroad. For example, Congress is also considering the Securing IoT Act, which would create cybersecurity standards for devices that emit radio frequency, and California passed a similar standalone law on September 28th that requires heightened security features for internet-connected devices. While California’s bill is not as comprehensive as the IoT Cybersecurity Improvement Act, it includes similar sections, such as its requirements on login credentials. Additionally, California’s law applies to all devices manufactured or sold in California, which makes it apply to consumer-directed goods as well. The law goes into effect in 2020, and since California is the 5th largest economy in the world, expect corporate security standards to update upwards. Also, like it’s national counterpart, its passage is expected to spur future legislation.
Puts the onus on corporations
By requiring that these elements be included in vendor contracts, the government is putting the onus on the vendors. They recognize that they can’t ensure the security of all the items they buy, so they’re passing the buck. This decision may inspire corporations to include the same requirements in their contracts. That way, if they receive a vulnerable device, they have someone else to blame–or even hold liable.
Increases focus on IoT cybersecurity
While it only directly affects government purchasing, his bill could incidentally raise the bar for the whole nation’s IoT security. For example, it could start trends among private corporations such as a moratorium against hardcoded credentials. Additionally, while its security standards are based on the National Institute of Standards and Technology, it also includes provisions that, instead of adhering to this level of security, a vendor can adhere to an alternate level so long as it’s greater. For IoT security, it seems reasonable to believe this bill would set a lower bound.
No effect on consumers
While consumers will experience any industry effects, they are unlikely to see any effects particular to them. Government contracts are typically large, so corporations may simply make a special version of a device, meaning the version for consumers won’t necessarily follow these guidelines. Additionally, consumers don’t have the buying power of the U.S. government, so it’s less likely that they’d successfully put the security onus on vendors.
As the number of internet-connected devices accelerates dramatically, we’ll start seeing more and more cybersecurity legislation. As the world trends toward more internet-connected devices, security is playing catch-up. These standards need to exist or we’re all at risk.