Service Provider Cloud

IoT Security Raises Concerns for US Senators

A bipartisan group of US senators is looking to get a better handle on the Internet of Things (IoT) and security as the number of connected devices continues to grow and the federal government invests more in the technology.

Introduced on Tuesday, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 bill would require any IoT device used by the federal government to meet a specific set of security requirements.

The security bill has backing from Republican and Democratic senators, including US Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), who are the co-chairs of the Cybersecurity Caucus, as well as Sens. Ron Wyden (D-OR) and Steve Daines (R-MT).

At the minimum, the proposed bill would require government contractors who are supplying IoT devices to ensure that sensors and other hardware are patchable, that these devices do not include hard-coded passwords and that IoT devices are free of any known security vulnerability before they are installed.

(Source: Geralt via Pixabay)

In short, ensuring basic networking and IoT security before an agency starts hooking these devices to the Internet.

"This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products," Warner wrote in an August 1 statement supporting the bill.

In their statement, the senators point to the growing volume of IoT and connected devices, citing a widely circulated Gartner report that finds connected devices will grow from 8.4 billion this year to over 20 billion by 2020. Spending on IoT and related services is also expected to hit $2 trillion by the end of this year.

If passed, the bill would set minimum standards for IoT security, as well as several other guidelines for handling connected devices. These include:

  • Allowing the federal Office of Management and Budget to create alternative network-level security requirements for devices with limited data processing and software functionality.
  • Directing the Department of Homeland Security to issue cybersecurity disclosure guidelines to contractors who are supplying connected devices.
  • Giving security researchers some liability protection if they are investigating IoT security flaws.
  • Requiring each executive agency to inventory all connected devices.

The fact that these senators are recognizing IoT security is a big step in ensuring not only government, but enterprises and consumers are protected as well. Since many connected devices send information back to the cloud, the harm caused by an IoT breach is incalculable.

Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.

One of the major problems with IoT security, which can lead to malware and distributed denial-of-service (DDoS) attacks, is the way these devices are designed.

In a column for our sister site Security Now, Pawani Vaddi, a product manager for consumer devices at Webroot, wrote that IoT developers aren't conscious of building in security at the manufacturing level, which leaves these devices open to attack -- a concern Warner's statement echoed. (See How Secure Are Your IoT Devices?)

Additionally, an IDC report published in June found that spending on IoT hardware security hardware security will increase at a compound annual growth rate (CAGR) of 15.1%, between now and 2021. At the same time, spending on security software will increase at a CAGR of 16.6%. (See IoT Spending Will Reach $1.4T by 2021 – Report.)

In his statement, Warner noted that he's written to the Federal Trade Commission about the data that "smart toys" collect, as well as concerns raised after the Mirai botnet attack that involved IoT devices. (See Level 3's Drew Sees Liability Issues in IoT Botnets.)

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

mhhfive 8/22/2017 | 7:15:35 PM
Re: Bipartisanship vs. Botnets Agreed. Lawmakers don't seem savvy enough to be able to regulate IT security with competence -- and are more likely, as you point out, to simply hand over the reigns to IT security firms with money and campaign donations, regardless of their effectiveness.

Maybe they can start with a subset of IT security and limit the scope of the law until its "proven" to be unbiased and effective? Nah... that'll never actually work.
kq4ym 8/22/2017 | 3:18:01 PM
Re: Bipartisanship vs. Botnets I'm skeptical that law makers can make rules and regulations that will fully do what they intend. It somehow reminds me of how agencies write proposals for bidding that favor one particular company or industry. Any company providing IoT to the government would naturally want to be very cautious about security issues of their service and devices probably without some stated rules I would guess. Now on the other hand, devices to consumers might not be so highly developed and maybe laws on that end might be justified to keep everyone on their security toes.
Susan Fourtané 8/11/2017 | 7:02:34 AM
Re: Bipartisanship vs. Botnets Yes. I was asking in a sarcastic way. More like saying that I don’t think seasoned hackers have to wait to get any input from social media.
Phil_Britt 8/10/2017 | 7:30:50 AM
Re: Bipartisanship vs. Botnets Hackers don't HAVE to wait, but many use spearphising, relying on a known element of a person's background (easily obtained via social media) as a lead-in to obtain the info to break into an account.
Susan Fourtané 8/10/2017 | 1:34:34 AM
Re: Bipartisanship vs. Botnets Do hackers really need to wait until people share about their smart things on social media?
Phil_Britt 8/9/2017 | 7:57:58 PM
Re: Bipartisanship vs. Botnets Though you are right that there will be breaches, people are also making themselves too susceptible to hackers by sharing too much on social media. They will brag about their smart homes, IoT devices, etc. And security of these devices will be an afterthought to providers as well.
danielcawrey 8/7/2017 | 7:03:59 PM
Re: Bipartisanship vs. Botnets I'm incredibly concerned about the security issues surrounding IoT. I think we're going to see a number of breaches because there are so many platforms and no clear way to properly update these devices once they are out in the field. I hope I'm wrong, but that's my pessimstic outlook. 
mhhfive 8/3/2017 | 2:15:52 PM
Re: Bipartisanship vs. Botnets It's nice to see that Senators recognize there's an IoT security problem, but it's also a bit concerning what the unintended consequences might be if security is regulated. Our lawmakers are generally not regarded as technical experts, so hopefully, they don't mandate tech security laws that are "impossible" to achieve -- or twist incentives so that no one can innovate with respect to security solutions.
Joe Stanganelli 8/3/2017 | 10:49:03 AM
Bipartisanship vs. Botnets On the one hand, as Bruce Schneier has aptly pointed out, makers and sellers of IoT products -- especially on the consumer side -- have little to no incentive at present to compete on security a smart refrigerator or other smart device that is part of a botnet still fundamentally works. Hence, you have a tragedy of the commons type of issue here -- which negatively impacts both interstate commerce and national security, inter alia. It is difficult to see how a legislative or regulatory incentive is not warranted here.

On the other hand, lots of people in the industry are wary of legislation and regulation in this area, preferring to build and rely upon industry standards. Their trepidation is fair. In my personal experience/opinion, the legislation to be most wary of is bipartisan legislation. When 100 people whose business it is to tell you what to do and how to do it can overcome their diverse ideologies to create and widely agree on a new law, the result is often not so great.
Sign In