Lawmakers Seek Improved Cyber Safeguards With IoT Security Bill
‘My hope is that we can use the federal purchasing power to shape the wider consumer, enterprise and industrial markets for IoT devices ... and given the current market failure we see in securing these devices, this seems as good a place as any for the federal government to serve as an impetus,’ U.S. Sen. Mark Warner (D-Va.) tells CRN.
With the explosion of IoT devices on the market, and an accompanying desire by the U.S. government to use those products to streamline operations and find efficiencies, a bi-partisan group of lawmakers is pushing a bill that would set minimum standards for built-in security on IoT devices that are to be deployed on government networks.
The Internet of Things Cybersecurity Improvement Act of 2019 -- introduced by U.S. Senators Mark Warner (D-Va.) and Cory Gardner (R-Colo.) -- would require the National Institute of Standards and Technology to issue recommendations that address secure development, identity management, patching, and configuration management for IoT devices.
Warner told CRN that the impetus behind the bill was the October 2016 botnet attack against Dyn in which hackers broke into IoT devices, infected them with the Mirai virus, and then shutdown dozens of cyber networks belonging to some of the biggest names in tech and media such as Slack, SoundCloud, FoxNews, BBC, Etsy, Netflix, and CNN, among others.
“Perhaps most frightening was what we learned later: that this botnet was not the work of deeply experienced state actors; it was the work of a handful of teenagers, who had – in very enterprising ways – built this botnet and used it in an effort to take down rival game-servers,” Warner said in an email interview. “The thought that this devastating capability – a botnet of unprecedented size and power, capable of taking offline some of the most popular sites on the internet – was created by three teenagers was truly sobering.”
The bill made it out of the Committee on Homeland Security and Governmental Affairs with a favorable recommendation in mid-June.
“I was pleased to see further action in the Senate on this important bill and I look forward to it being swiftly signed into law,” Gardner said in a statement. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks.”
Once law, the bill would require any Internet-connected devices purchased by the federal government to comply with NIST recommendations, and it will force contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be shared with a vendor for remediation.
“After Mirai, I wrote to the FTC, FCC, and DHS – asking each a set of questions about their plans to address the growing threat of insecure nontraditional endpoint devices,” Warner said. “Their responses – and my concern that we lacked a holistic strategy – prompted this legislation.”
Warner has a strong tech background as the co-founder of a venture capital firm, Columbia Capital, that invested in hundreds of tech startups. He was also a co-founder of the company that later became Nextel, according to his U.S. Senate website. Along with Gardner, Warner is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus.
Warner said NIST has a draft set of minimum security requirements for IoT that he would like to see implemented. Among them are that IoT devices must be patchable, if a security vulnerability exists and it is manageable it must be disclosed, they must include access management, and secure defaults, so that the default settings the most secure, must also be included before the device can be attached to government networks.
Warner said this bill isn’t just about securing government devices, but also creating safer commercial and consumer products as well.
“From the outset I’ve been quite upfront that my hope is that we can use the federal purchasing power to shape the wider consumer, enterprise and industrial markets for IoT devices,” he said. “We’ve seen the federal government help shape industry standards in a range of contexts – and given the current market failure we see in securing these devices, this seems as good a place as any for the federal government to serve as an impetus.”
Philip de Souza is the founder and president of Aurora, a California-based security and compliance consulting firm that is a platinum partner with Symantec, and gold partner with McAfee. He said his business uses NIST standards, and not just in its federal work, but with commercial clients as well.
“We live and breathe NIST and we love it,” he said.
Aurora is working with two federal agencies currently where they are installing and fortifying IoT devices. He called it a “natural progression” for NIST to overlay security on IoT devices.
“NIST now gets to set strategy for IoT devices, and that’s really neat because it’s a must,” he said. “There’s already a lot of concern with utilities that is ongoing, that IoT is one of our weakest areas as a nation … there’s going to be a need to secure IoT devices in the federal space.”
De Souza praised the recommendations NIST has put forward in draft form, and singled out access management as one of the critical items, though he questioned whether the government would have the “bandwidth” necessary to regulate that.
“The heart of identity and access management says ‘Look, we want the right data, to be at the right place, accessible by the right person at the right time,’ ” he said. “So as long as you meet those covenants, we’re good. So if the janitor at 2 o’clock in the morning is logging in to look at payroll information, something is wrong. These are the flags that would be set off.”
Barry Weinstein, vice president of sales with Mvation, said while the IoT market is “exploding” security on those devices is inconsistent, and varies considerably by vendor.
“Unfortunately, with IoT right now it’s like the Wild West out there,” he told CRN.
Mvation, named one of the CRN 2018 Tech Elite 250, is a solution provider headquartered in Fremont, Calif., which does about 90-percent of its business with the federal government.
Weinstein said Warner’s bill is timely, in that many agencies are beginning to look at IoT as a way to achieve efficiencies and cost savings, most notably, the Department of Defense. He said U.S. military bases are eyeing numerous IoT solutions in HVAC, gate security, gunshot detection and location, shipping and logistics systems, and each one becomes a potential threat vector once it is connected to the network.
“They need protection from hacking,” he said. “The first step is to create a standard.”
Weinstein said from that point of view, Warner’s proposals look good on paper. He said however, once the recommendations emerge from NIST, they must be backed by an agency that certifies the devices, otherwise he fears vendors could sidestep the rules.
“You have to have certification if you are going to make it stick,” he said. “Otherwise, who is going to verify it?”
Brendan Walsh, SVP of partner relations with 1901 Group, a federally focused MSP in Virginia told CRN that if you look at government IT there are regulations like FISMA and HIPPA that deal with data protection, then there are the series of NIST requirements for all MSPs that work for Washington.
“I think the bill is an extension of the standards and regs that area already in place,” Walsh said. “Manufacturers that are creating industrial refrigerators that are going to have sensors, and then put them on an Army base, the traditional IT management team may not be thinking about the security controls around a connected refrigerator. That’s really the gist behind the bill, to expand the awareness.”
Walsh said there are basically three types of IoT that are being installed today. He said there are older products that being retro-fitted to connect, such as motors and fans that are being “bolted on” to the network to provide sensor data, then there are the legacy devices that are redesigned to connect to the network, televisions and refrigerators as an example, and then there are the pure IoT devices that are manufactured to be connected to the network.
He said called Warner’s bill a “net positive” for MSPs in government, many of whom are already used to complying with NIST standards.
“I think it’s a very logical next step to bring that same kind of consistency or baseline or guidance to really an evolving amalgam of IoT,” he said. “The MSPs who are in public sector already adhere to a high standard when you look at the NIST 800 series. Warner is trying to get NIST to provide a set of controls like they do for government systems and government contractor systems. I think it’s a natural progression. It is creating a baseline for IoT, which is so broad. I don’t think it is going to hinder or hurt us. I think standards are a good thing.”
Walsh said while the types of devices that 1901 Group is installing and monitoring will continue to expand, from personal devices to logistic systems on trucks, the conversation about IoT security is evolving.
“There’s an inevitability to IoT,” Walsh said. “No one doubts that IoT is the future. Its coming. Even if you don’t want it to, it is coming.”