Last Monday, a bipartisan group of Congressional members introduced in the Senate and House The Internet of Things (IoT) Cybersecurity Improvement Act of 2019. Sponsored by Senators Mark Warner (D-VA), Cory Gardner (R-CO), Maggie Hassan (D-NH), and Steve Daines (R-MT) and Representatives Robin Kelly (D-IL) and Will Hurd (R-TX), the bill is a revised version of an earlier bill of the same name introduced in 2017 with different co-sponsors.
Although the bill’s remit covers a seemingly pedestrian and limited area of government – IT procurement – it’s a shot at solving a much larger cybersecurity problem that neither Congress nor industry has yet to crack. If enacted, the bill would establish a requirement that IoT devices purchased by government agencies must meet minimal standards for security set by the National Institute for Standards and Technology (NIST), an agency that operates under the Department of Commerce and is responsible for developing measurements, technical guidelines, and standards for use in industry and government. By leveraging the power of government spending, these standards would both set a baseline for companies selling products to the government and, potentially indirectly and over time, shape the practices of IoT product vendors and developers that sell to consumers and enterprises.
The Internet of Insecure Things
If you look around yourself right now, regardless of where you are, chances are high that anything that runs on electricity or batteries may some day be controlled or augmented by embedded, networked computers and sensors. Research firms like Gartner estimate around 10 billion devices are already connected to the internet, and IoT is projected to become a trillion dollar market.
The momentum behind this trend started decades ago in industrial and commercial settings, well before the phrase “Internet of Things” entered the common vernacular. Now, it is reshaping markets and companies. Consider, for example, that GE – a century-old industrial giant renowned for making things that spin, like jet engines and washing machines – announced in 2016 a pivot in focus to software platforms and data.
In recent years, we reached a tipping point of sorts at which the economics and the maturity of enabling IoT technologies have become favorable for widespread integration in products and environments of all kinds, not only to the GEs of the world. Computers and sensors can now be cheaply produced in small packages that can be embedded into an object of nearly any size. Small form factors no longer dictate computational power since it is possible to extend functionality in the cloud and wireless technologies. The barriers to entry are also low. The expertise needed to enter the market is minimal. It is easy and cheap to integrate IoT technology into a product with wholesale modular components. This partly explains the influx of new consumer-oriented products of dubious value alongside more transformative applications of IoT for businesses and government.
As the ecosystem of IoT devices, components, developers, and vendors balloons, so too have the risks to privacy, security, and safety. Many products lack basic security features or ship from factories with exploitable vulnerabilities and flawed designs that could have easily been avoided with some forethought. This issue is so significant that the Office of the Director of National Intelligence has consistently identified it as a threat to national security in its Worldwide Threat Assessment reports since 2017.
Cybersecurity was already an enduring problem before IoT arrived on scene. However, insecure IoT devices amplify all of the existing challenges for privacy and security and introduce some new ones. For instance, end users and systems administrators already have difficulty following basic cyber hygiene practices. IoT devices scale this problem exponentially. Even if users could be bothered to apply patches, some IoT devices outright lack the ability to be updated. Perhaps most troublingly, many IoT devices masquerade as everyday objects without traditional interfaces and utilize an array of sensors, such as microphones, cameras, and GPS chips, for interacting with users and to collect data about the environments in which they are deployed. As these devices make their way into our homes and other spaces, they have the propensity to profoundly disrupt our notions of privacy and security as they become vectors for surveillance and other intrusions. The potential impact on civil and critical infrastructure could also be serious.
A plethora of IoT and software security standards exist, and the pitfalls of insecure designs and development practices are reasonably well understood. Despite this, getting vendors to incorporate better practices is anything but easy. It is a problem for any device that runs code, not just IoT.
There are a variety of explanations for why this is the case. Some scholars have explained the phenomenon of insecurity in economic terms as a problem of misaligned incentives or market failure in which developers and vendors do not bear the risk or costs when the security of their products fail. Moreover, while consumers value security features, they are generally unwilling to pay a premium for them in products. Consequently, building in security features is not worth the effort for many vendors and developers of low-cost IoT devices. Another key reason is the lack of any generalized regulation or tort liability schemes that would encourage vendors to adopt better practices. Similar to the historical trajectory of other emerging industries, Congress has largely relied on technology vendors and market mechanisms to self-regulate consumer harms without, for instance, enhancing the Federal Trade Commission’s Section 5 authorities, which are limited to regulating unfair and deceptive trade practices against consumers.
The IoT Cybersecurity Improvement Act
Similar to its first iteration, the IoT Cybersecurity Improvement Act of 2019 ostensibly takes aim at poorly-designed IoT devices that might be purchased and used by federal agencies.
Unlike the original version of the bill in 2017, which provided in the text a list of specific security requirements, the 2019 version calls on NIST to create a series of security attributes for products and guidelines for coordinated vulnerability disclosures. A standard for secure attributes would, for example, set benchmarks for device security (i.e., protecting the device, data, and its users against known risks and threats) and indicate design and engineering conventions for achieving them. A vendor could then follow the standard as a blueprint toward achieving compliance and be eligible for procurement. As it happens, NIST is already working toward creating a suite of IoT security guidance, and a discussion draft on point already exists.
The guidelines for coordinated vulnerability disclosure would target a different problem – how vendors, contractors, and agencies deal with vulnerabilities discovered for IoT devices already in use. Although NIST does not currently have a draft on coordinated disclosures for IoT, a lot of guidance exists elsewhere. Presumably, the NIST guidelines would similarly require vendors and agencies to create a process for receiving and disseminating information about vulnerabilities discovered by independent security researchers, and establish channels of communication, validation of the discovery as well as timelines for action, remediation, public disclosure, and the like. Such disclosure policies have been a well known sore spot in the private sector.
By piggybacking on an existing NIST program, the bill solves some practical problems. Since the program is already underway, it is less likely to become mired by bureaucratic processes. More critically, it leaves the creation of security requirements to technical experts who are in a better position to assert the contours of the guidelines and engage with industry. Arguably, this makes adoption more likely since NIST has earned a good track record. Established members of the private sector have come around to support and voluntarily adopt other NIST efforts like the Cybersecurity Framework. A standard for IoT security would offer some measure of parity between the two, which also perhaps increases the likelihood of adoption.
The bill has other noteworthy features. It defines IoT devices broadly, but excludes “general-purpose computing devices,” including personal computers, mobile phones, and programmable logic controllers (PLCs), which are devices used to monitor and control industrial processes and mechanical systems. This definition could be interpreted to capture a lot of things or only a few, depending on how one reads “general purpose.” By excepting PLCs, the bill carves out a lot of industrial systems from the regime. The bill also broadly defines vulnerability as “any attributes . . . that could enable the compromise of the confidentiality, integrity, or availability of an information system.” These will surely be points of contention. In tandem with this, the bill incorporates an appeals mechanism whereby a vendor or agency can appeal to the Office of Management and Budget (OMB) to exclude a specific device from the rule. OMB is also directed to review the applicable NIST standards for revision every five years.
Although the bill falls short of a full-blown regulatory or liability regime for IoT security, it could make some significant strides towards ratcheting up the status quo not just for government agencies but for the general public, too. The theory of change is that by catalyzing adoption of NIST standards by requirement for a small slice of the private sector, those standards become a norm to which more vendors will voluntarily adhere because they hope to sell their products to government agencies in the future or because it is fashionable. How much spill over to expect is anyone’s guess. At the very least, this could serve as a laboratory and training grounds for developing a program that could eventually scale to arenas beyond procurement. Assuming IoT insecurity will persist, regulatory interventions will only become more likely, and the regulatory experience gained from this legislation would be beneficial.