Can the Feds Force Trickle-Down Security on the Internet of Things?
Believe it or not, the two parties in Congress and the President have agreed on something both significant and substantive since Election Day: Not just that the Internet of Things (IoT) needs better security, but on how to do it — or at least try.
Both houses of Congress passed — unanimously! — and President Trump signed, the “Internet of Things Cybersecurity Improvement Act of 2020, an effort that began more than three years ago.
There is no question about the need — it’s blindingly obvious. You could count the reasons. Actually, you couldn’t count them, at least not without a computer. Even if you counted 200 per minute, it would take decades to get through a fraction of the estimated 31 billion IoT devices now in use — and by then you’d be further behind because the number continues to grow faster than you can count.
And, as has been exhaustively reported and documented, most of the software that powers the IoT is riddled with vulnerabilities. Just about every IoT device poses risks to its users. The IoT, now more accurately named the Internet of Everything, is the biggest, broadest, most vast “attack surface” in the world for hackers. Connected devices reach into every corner of personal and corporate life — appliances, buildings, traffic control, utilities, vehicles, healthcare, education … the list goes on.
So perhaps a more relevant question is: Can a government edict make IoT security better?
And we’re about to find out. While recommendations and “guidance” on better IoT security have for years been coming from federal agencies like the National Institute of Standards and Technology (NIST), this is a law, not a recommendation.
“NIST can beg government and industry to do whatever until the cows come home,” said Michael Borohovski, director of software engineering at Synopsys’ Software Integrity Group (SIG). “But the various agencies can still choose whether or not to implement those recommendations. This bill removes that choice.”
Market clout as leverage
The law won’t really be functional for at least another year (time enough for a few billion more devices to come online). But its premise is that the federal government can force better security into the consumer IoT through its purchasing power. Trickle-down security, so to speak.
It mandates that the feds buy only devices that conform to security standards set by NIST, which must cover, “at a minimum,” secure development, identity management, patching, and configuration management — long considered security fundamentals.
It also orders the Office of Management and Budget (OMB) to issue guidelines that conform to the NIST recommendations, and to review and possibly update them at least every five years.
Sen. Mark Warner (D-VA), cosponsor of the Senate version of the bill, said in a press release that the law “will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell.”
Maybe. So far, the reviews from security experts are generally positive, but still mixed. One post called it a “landmark accomplishment,” but most of the compliments fall into the “good-beginning,” “foundation,” or “step-in-the-right-direction” category.
Borohovski says it is both. “I think it’s fantastic but it’s also just a start,” he said. “That is, the law sets up a blueprint for future enforcement by mandating that NIST develop standards and that federal departments/branches implement them, but there is a lot more that it could do.”
Jim Dempsey, of the University of California Berkeley School of Law, wrote in a Lawfare blog post that the law “gives Congress important oversight leverage” to push for better IoT security but that overall it is “more of a ratification of measures already under way or completed.”
Lots of guidance
Indeed, in the past two years, NIST has issued multiple guidance documents on IoT security including:
- November 2018: “A Road Map Toward Resilience Against Botnets,” which included specific tasks designed to establish “a widely adopted security capability baseline for federal IoT products.”
- June 2019: NISTIR (NIST internal report) 8228, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.”
- May 2020: NISTIR 8259, “Foundational Cybersecurity Activities for IoT Device Manufacturers”; and NISTIR 8259A, “IoT Device Cybersecurity Capability Core Baseline.”
- December 2020: Several draft guidance documents including SP 800–213: “IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements.”
James E. Lee, chief operating officer at the Identity Theft Resource Center, agrees that the law essentially “ratifies what is already happening. However, memorializing the NIST and OMB efforts in the law ensures that they survive beyond any given administration or Congress,” he said. “That’s a huge step in the cybersecurity and privacy efforts of the federal government.”
But Dempsey also noted that after ferocious industry pressure against the first version of the bill in 2017, the current version is longer on generalities than specifics.
While he agrees that collaboration with the industry is necessary, he said the effectiveness of the bill “depends on whether the Biden administration’s NIST is as deferential to the Chamber of Commerce and other industry associations as the Trump administration was.”
Also, as has been noted by some experts, there is visible “wiggle room” around which devices the law covers.
Chris Clark, senior manager of embedded ecosystems at Synopsys, noted last fall after the House approved the bill that “the definition of an IoT device is followed by a list of exclusions and a process for modification of the definition.”
His colleague, Jennifer Janesko, senior consultant at Synopsys’ SIG, agrees. While the law mandates that government agencies must buy only devices that comply with the standards specified by NIST, that directive is immediately followed by qualifiers.
“It allows waivers based on interest in national security, for the acquisition of devices for research purposes, and for devices that demonstrate security controls that are different from what is in the NIST guidelines,” she said.
That, she said, could leave “whole classes of devices outside the scope of applicability. So vendors of these types of devices will not feel any legal pressure to improve their security posture.”
Lee doesn’t think that will be a problem. “Legislation and regulations do not work in the tech space unless the private sector is heavily involved,” he said. “Technology advances too fast for public policy to keep up, especially if you try to be prescriptive and detailed.”
And Rehan Bashir, managing consultant at Synopsys’ SIG, said he thinks the NIST guidance so far has been “quite comprehensive. It addresses both technical and nontechnical baselines for IoT devices,” he said. “We will have a better understanding of its effectiveness once it’s adopted. I am sure there will be updates to the standards as they are put into practice.”
But then there is enforcement. The law says federal agencies can only buy IoT products that meet the security standards and guidelines set by NIST and OMB but it spells out no penalties for those that do otherwise.
“The primary penalty in the law seems to be a prohibition on procurement and use of a device if an agency CIO believes its use prevents the agency from complying with various directives,” said Sammy Migues, principal scientist at Synopsys’ SIG. “That is immediately followed by a section on getting waivers.”
“If you’re a vendor that hasn’t built security into an IoT device and want to win a $100-million government contract, do you stop all feature development for months and work on secure software and hardware design, or do you spend one day creating great slides that help the overworked, underpaid, under-appreciated, perhaps out-of-their-depth CIO work the waiver process?”
But Bashir said that even without specific penalties he thinks the law will have some teeth. “Noncompliance has the potential to expand legal risks significantly in areas such as privacy if sensitive data is compromised due to lack of implementation of security recommendations on IoT devices as prescribed in NIST,” he said.
Lee also sees no cause for concern. “There was no reason to include a specific penalty or enforcement provision unless Congress wanted an enhanced penalty for some reason,” he said. “OMB already has the power to set penalties and enforce any violation of federal purchasing guidelines or requirements.”
Whatever the specifics — rigorous or watered down — and whatever the level of enforcement, the impact of the law won’t be known for some time. The bill allows nine months for NIST and OMB to issue IoT security guidelines.
And whether this will, as advertised, trickle down to the consumer market, probably won’t be known for years.
Logically, it should. As HelpNet Security put it, “It’s not practical for a manufacturer to follow two separate guidelines, so the standards for government-contracted devices will likely be applied to all devices on the assembly line.”
Lee has noted in the past that the federal government “has a lot of market clout,” through the purchase of about $1.2 trillion of goods and services each year. He added that most state governments follow federal standards with their procurements as well.
He said this past week that “government purchasing practices can move markets in ways consumers cannot. Many of the product changes we’re going to see as a result of this law may have occurred naturally over time, but now they will happen faster and with less pain.”
Borohovski is also optimistic. He doesn’t see it as a major game-changer but says even incremental improvement is a very good thing.
“There’s no magic pill — never will be. But it does incrementally improve IoT security across the board, by virtue of the federal government having standards and enforcing security as a prepurchase requirement. That is an extremely positive move in the direction of better security.”