Security researchers have been warning for years that the government will soon get involved in defining the security standards of the Internet of Things industry (IoT), and it looks like that time has finally come.
Of course, the proposed bill that's set to move through the US Senate doesn't exactly say that all IoT manufacturers need to do this, this and this, in terms of security of their devices, because making such demands of a free market is a bit difficult. What it can do, however, is accelerate the process of getting all these companies to come up with some common ground when it comes to security by imposing they follow certain rules if they want to be able to sell IoT devices to the US government.
In this way, the US government isn't too intrusive on the private business of thousands of companies out there, but it still wants to make sure that at least its agencies are safe from intrusions.
In the past few years, there have been countless attacks on IoT devices made easy by the entire lack of security on some devices or the many faults found in others. In fact, hundreds of thousands of these gadgets have been hacked, and the perpetrators used their powers to build up massive bots to gain power in Distributed Denial of Service (DDoS) attacks.
DDoS attacks are those situations where a targeted system is flooded with enough traffic to take it down. For instance, back in June, Skype went down for a couple of days due to such an attack, while an attack on domain registrar Dyn took out Twitter, Spotify, Reddit and others last year. This type of incidents happen all the time, although many of them are countered effectively and don't affect users.
The situation has become so dire, in fact, that there's one self-proclaimed white hat hacker who created a trojan of its own called Hajime, infecting hundreds of thousands of vulnerable devices just so it could close the open ports that facilitated the access of malicious actors.
Security researchers, such as Bruce Schneier have discussed the issue of IoT security at length over the years, decrying the poor state they were in - some devices are not even able to receive security updates in case of need, others are simply open to anyone with any sort of hacking skills, including children's toys. It seems that in our race to create an interconnected world, we've forgotten that we are all vulnerable to those who want to make a buck off our private data.
The IoT bill
The US Senators have created the IoT Cybersecurity Improvement Act of 2017, which basically is them throwing the US government's weight around in order to force IoT manufacturers to improve device security, in the hopes that these standards will also bleed into the mass production sector and, therefore, apply to regular customers too. In short "if you want to do business with the US government, your devices need to be safe, or you're out of the race for contracts."
The bill requires the White House Office of Management and Budget to develop network-level security requirements for IoT devices, while also running inventory on all Internet connected devices in use by the agency.
The proposed bill defines IoT devices pretty broadly, saying they are physical objects capable of connecting to the Internet, and with computer processing capabilities that can collect, send or receive data.
Truth be told, the bill is just the foundation that they need to build on. While it addresses the need for the devices to be able to receive security updates, it fails to properly address the issue of data collection and processing. It does, however, make it clear that no device with known vulnerabilities featured by the National Vulnerability Database of NIST, or any other similar credible database, will be accepted for government purchase. It also states quite clear that it must not include any fixed or hard-coded credential used for remote administration, the delivery of updates, or communication because that could be a vulnerability for the user.
More needs to be done to ensure regular users are protected, of course, such as stricter rules about data collection and processing, particular rules about security levels and communication protocols between the device and the Internet, and so on. At this point, however, it's the first step that needs to be taken and that has the potential of spreading towards regular users, since the government users the very same devices the rest of us do.
Of course, there's the question whether these changes would trickle down to regular users at all. In fact, not all manufacturers have government contracts, so why would they comply to rules that don't apply to them, right? But that's the thing. Once people hear that a certain device is safer than the other, they'll spend more on the one that provides them with both the quality they need and the safety they desire. In this way, the market should regulate itself, which is what the senators want in the first place.