IoT Security at the Speed of Government

The threat posed by an unsecured Internet of Things (IoT) is so dire that it has spurred an act of Congress. Earlier this month, a bipartisan group of Senators introduced the Internet of Things Cybersecurity Improvement Act of 2017. And while it falls short of what security experts would agree is nirvana, it does represent an important first step in the race to secure the IoT.

For those who are surprised (and not familiar) with the bill, it outlines a basic set of principles for any vendor who wants to sell to the U.S. Government. It calls for all vendors of “internet-connected devices” to declare that there are no known vulnerabilities within the products they manufacture, notify agencies where vulnerabilities do exist, and provide either updates or workarounds when vulnerabilities are discovered. The bill also sets some common sense best practices, such as not allowing hard-coded passwords. Keep in mind that while the bill would have implications for vendors, there is still a process in order for it to advance in Congress.

For industry, there are elements of the current dialogue that cause some concern. With any legitimate discussion about security and privacy around a new and emerging technology, it is important to take a prudent approach that considers cost, impact to users, and constraint of investment and innovation that may result from a legislative or regulatory remedy that inhibits technology progress. A collaborative approach that engages industry and government and gets both groups working together to identify and pursue solutions that meet common objectives in a productive manner is most effective.

But this raises an interesting question. Given how nascent IoT is and the rate at which it will evolve in the coming years, will the public be safeguarded by legislation that simply aims at a set of best principles and disclosures by vendors or is securing IoT best left to the private business?

It’s easy to make arguments about how this proposed legislation really only targets those vendors selling into the U.S. Government, leaving a huge attack surface uncovered. Those with a negative view of vendors will also make the argument that some vendors will prioritize profit over security, refusing to make substantial changes to their offerings if it means impacting their business (a falsehood).

Instead, I’ll argue that this proposed bill is a strong opening move. Like all governments, the U.S. Government is not exactly the paragon of agility. The fact that the government positioned new legislation so quickly with bipartisan support is frankly somewhat miraculous. The flip side of this speed is that to some extent, the bill had to be relatively neutral to get introduced so quickly.

But is this the outcome we really want?

The efficacy of the legislation isn’t going to be about how complete this first bill is. Long-term success is going to rely on the government’s ability to partner with technology companies to stay ahead of the threats. The issue, of course, being that even with the best advisors, the government still moves at the pace of consensus.

And that’s before we consider the effect of lobbying. While industry understands the need for privacy and security for the IoT, there are competing interests among companies. Pessimists may say that companies will be inclined to lobby for less stringent requirements or lobby for conditions that favor their patent portfolio.

And what about the jockeying and positioning from inside the government? The IoT might look like a great way to save energy or quickly set mood lighting to the average consumer, but to law enforcement, IoT is a veritable treasure trove of information, all a mere subpoena or search warrant away. And this will attract the privacy groups who may oppose this possibility.

With all these competing self-interests, there simply isn’t going to be a coherent security strategy that is going to emerge that has even a prayer of evolving at the rate it needs to as IoT ramps up and hits the mainstream. This means that private industry will need to lead.

In most trust-based systems, positive outcomes require collaboration. This means putting collective interests above individual interests. In economic theory, this creates what is known as the Tragedy of the Commons. While it’s in everyone’s interest to keep the commons healthy, it’s in everyone’s self-interest to take what they can. Without collaboration, everyone self-indulges to the detriment of the entire community.

The Challenger is a series of posts authored by a member of the Juniper Networks Executive Team. The goal is to challenge existing norms about technology, business and society.