We’re more connected, but less secure. Internet of Things (IoT) technology is dramatically outpacing regulation. Before, only phones or computers were web-connected, but now so are cars, toasters, video cameras and door locks. Many of these devices are connected without much regard for their security ramifications, so government legislation is finally catching up. One important bill in Congress, the IoT Cybersecurity Improvement Act, would add significant security requirements for government vendors. It would go a long way toward improving IoT security.
What Is the IoT Cybersecurity Act?
At a glance, the IoT Cybersecurity Improvement Act sets new purchasing requirements for government agencies. Specifically, agencies would be required to include an assortment of clauses in their purchasing contracts that mandate higher security standards for internet-connected devices.
Why It Matters
Internet-connected devices are growing exponentially, from 23 billion in 2018 to a predicted 75 billion by 2025. Many recent hacking events, such as those listed below, could have been prevented by cybersecurity strategies, like those employed in this bill.
- In October of 2016, an attack shut down the internet for much of the Eastern seaboard by employing a coordinated effort of internet-connected devices, including baby monitors and webcams.
- Part of the recent Equifax breach can be traced to their use of the word “admin” as a username and password.
Internet downtime can cost a company upwards of $100,000 per hour. The Equifax breach revealed sensitive information of 143 million Americans. If these are the impacts when a private corporation is attacked, it’s clear why the government needs to get ahead of them.
What the IoT Cybersecurity Improvement Act Does
This bill would mandate a variety of clauses in relevant purchasing contracts signed by government agencies. These clauses fall into two categories:
- Verifications: claims the vendor would be required to make about their device
- Behavioral requirements: security practices the vendor would be required to complete
Any vendor selling an internet-connected device would have to affirm the following about the device:
- Does not contain any known security vulnerabilities
- Uses industry-standard technology for security and communication
- Can be securely accessed and updated by the vendor
- Doesn’t have any fixed or hard-coded credentials
After the device is provided to the government, the vendor would be required to do the following:
- Notify the government if they later learn of a vulnerability
- Update devices to ensure their security
- Repair or replace devices, should there come a security need
- Provide information on continuing security support, including a support timeline and notification when support ceases
While the motivation behind some of these stipulations is relatively clear, others require some explanation. Let’s tackle three that could use some explanation.
1. Hard-Coded Credentials
Imagine if every iPhone could be accessed by the same password. No matter how secure an individual made their personal password, a hacker who knew this skeleton key would still be able to break in. Tim Cook, Apple’s CEO, has called such a possibility “dangerous” and “chilling.”
Hard-coded credentials are just that: a username and password built into the machine. They fundamentally can’t be changed, meaning anyone who knows them can access the system forever. Many vulnerabilities have been exploited because individuals never changed their default password.
Even more dangerous is this sort of hard-coded backdoor, because the user is unable to remove the vulnerability. Since the government may purchase thousands of units of each internet-connected device, a single back door could pose a massive security risk. Specifically, here’s what the government is mandating:
“[The device does] not include any fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication.”— S.1691 – Internet of Things (IoT) Cybersecurity Improvement Act of 2017
2. Access and Updates
The government has been using internet-connected devices before; why are they only now mandating they be updatable? What’s changed? In a word, the device longevity. Phones and computers can have two- or three-year timelines. While cybersecurity can predict many short-term threats, many new
These updates would allow the government to keep pace with threats over a much longer time horizon. Without the ability to update, a vulnerability could go undiscovered for years, and even after it’s found, it could still be unfixable. If this bill passes, government purchasing contracts will include:
“A clause that requires such internet-connected device… to be updated or replaced… in a manner that allows for any future security vulnerability… to be patched.” — S.1691 – Internet of Things (IoT) Cybersecurity Improvement Act of 2017
3. Continuing Security Support
If you’ve ever tried to track a warranty or service plan—such as taking your car in for maintenance whenever it comes due—multiply that by thousands and make the requirements highly technical, and you’ll see why the government mandates the vendors perform this tracking themselves. As IoT devices penetrate all areas of life, the government will be inundated with security considerations. They could employ a whole department and still be unable to juggle all the individual security timelines.
Instead, they’re requiring the vendor to track and notify of these elements. Specifically, the vendors will be required to provide two types of information: a timeline for ending security support and a formal notification when it ends. Not only would security support be provided by the vendor; this bill would mandate they manage the process, too. The bill would require that all vendors provide the following:
- Information on the ability of the device to be updated, such as— the anticipated timeline for ending security support associated with the Internet-connected device
- Formal notification when security support has ceased
As it’s written, this bill only raises security standards for vendors selling internet-connected devices to the government. It’s likely, however, to have broader effects.
It Sets a Precedent for More Legislation
Many experts believe IoT security is years behind, so this legislation is only the beginning. As laws like it gain traction, they’re likely to inspire more, both in the U.S. and abroad. For example, Congress is also considering the Securing IoT Act, which would create cybersecurity standards for devices that emit radio frequency. California passed a similar standalone law on September 28th that requires heightened security features for internet-connected devices.
While California’s bill is not as comprehensive as the IoT Cybersecurity Improvement Act, it includes similar sections, such as its requirements on login credentials. Additionally, California’s law applies to all devices manufactured or sold in California, which makes it apply to consumer-directed goods as well. The law goes into effect in 2020, and since California is the 5th largest economy in the world, expect corporate security standards to update upwards. Also, like it’s
It Puts the Onus on Corporations
By requiring these elements be included in vendor contracts, the government is putting the onus on the vendors. They recognize they can’t ensure the security of all the items they buy, so they’re passing the buck. This decision may inspire corporations to include the same requirements in their contracts. That way, if they receive a vulnerable device, they have someone else to blame, or even to hold liable.
It Increases Focus on IoT Cybersecurity
While it only directly affects government purchasing, this bill could incidentally raise the bar for the whole nation’s IoT security. For example, it could start trends among private corporations such as a moratorium against hardcoded credentials. Additionally, while its security standards are based on the National Institute of Standards and Technology, it also includes provisions that, instead of adhering to this level of security, a vendor can adhere to an alternate level so long as it’s greater. For IoT security, it seems reasonable to believe this bill would set a lower bound.
It Has No Effect on Consumers
While consumers will experience industry effects, they are unlikely to see any effects particular to them. Government contracts are typically large, so corporations may simply make a special version of a device, meaning the version for consumers won’t necessarily follow these guidelines. Additionally, consumers don’t have the buying power of the U.S. government, so it’s less likely they’d successfully put the security onus on vendors.
As the number of internet-connected devices accelerates dramatically, we’ll start seeing more and more cybersecurity legislation. As the world trends toward more internet-connected devices, security is playing catch-up. These standards need to exist or we’re all at risk.