Tuesday, August 15, 2017
The proposed Internet of Things (IoT) Cybersecurity Improvement Act of 2017, introduced Aug. 1, 2017, would create minimum security requirements for U.S. government, Internet-connected devices. Senate Cybersecurity Caucus co-chairs Mark R. Warner, D-Va., and Cory Gardner, R-Colo., and Sens. Ron Wyden, D-Ore., and Steve Daines, R-Mont., are sponsoring the bipartisan legislation, which would require government-supplied IoT devices to be patchable, updateable and protected from known vulnerabilities. Security analysts are stressing the need for similar initiatives in the private sector.
In an interview with The Green Sheet, Vanita Pandey, Vice President of Product Marketing at ThreatMetrix, said the IoT has opened new frontiers of growth and cyberthreats, creating "a third industrial revolution." Pandey warned it will only be a matter of time before a large-scale breach impacts mobile and IoT devices. As cybercriminals exploit connected devices and human failings with familiar attack patterns such as phishing and ransomware, advanced forms of detection will be critical to protect political and personal assets, she added.
"Humans continue to be the greatest vulnerability for corporations," Pandey stated. "Today, a large number of attacks come from cybercriminals looking to exploit known vulnerabilities that have never been patched despite patches being available for months, or even years, as evidenced by the WannaCry attacks, a concern the proposed legislation addresses."
Numerous security experts, including the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, participated in the Cybersecurity Caucus research efforts, representatives stated. The experts shared ideas on how to improve IoT security for devices shipped with hardcoded passwords, which are difficult to update or patch because they are embedded in source code.
Security analysts predict the IoT will include more than 20 billion devices by 2020, creating opportunities and challenges for consumers and business owners. Recent distributed denial of service attacks against websites, servers and Internet infrastructure providers, has highlighted the need for improved IoT frameworks, noted Sen. Warner, Senate Cybersecurity Caucus Co-chair. Warner, a former technology executive, also serves as Vice Chairman of the Senate Select Committee on Intelligence.
Sen. Gardner stated the IoT "continues to expand, with most experts expecting tens of billions of devices operating on our networks within the next several years. As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks. This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space."
According to Sen. Wyden, enacting the bill "would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals." He added that the bill would also update the Computer Fraud and Abuse Act and Digital Millennium Copyright Act by exempting cybersecurity researchers from liability from "irritated vendors" as they perform research pursuant to adopted coordinated vulnerability disclosure guidelines.
Government officials and private-sector executives have endorsed the proposed legislation. Upon passage, guidelines and disclosure policies for government contractors and connected devices would be implemented by the Office of Management and Budget and enforced by the Department of Homeland Security. All executive government branches would inventory their internet-connected devices.
"This bill deftly uses the power of the federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products," said Jonathan Zittrain, co-founder of the Berkman Klein Center. "This will help everyone in the marketplace, including non-governmental purchasers and the vendors themselves, since they'll be encouraged together to take steps to secure their products."
Bruce Schneier, Fellow and Lecturer at Harvard Kennedy School of Government, agreed the proliferation of insecure Internet-connected devices presents an enormous security challenge. "The risks are no longer solely about data; they affect flesh and steel," he said. "The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests."
Pandey praised recent advances in information security research and cyber detection solutions but warned that human errors will continue to provide entry points for cybercriminals. Shared intelligence, that can differentiate between good and bad customers and application programming interfaces, is the best defense against connected and well-organized cybercrime, she noted.
"One of the big reasons for this is the fact that adoption of new technology outpaces people's true understanding the implications or workings," she said. "This will be especially true for situations where the connected ecosystem will govern many key aspects of one's daily life or a corporation's operations."
Pandey expects IoT adoption and related threats to grow exponentially as connected and programmable devices control more aspects of our daily lives. "We may enter an era when individual households would be more at risk from potential ransomware attacks than from burglars and other criminals in the real world," she said. "At that point in time, there will be no such thing as an impenetrable system. Detection and understanding the source of compromise will be as critical as preventing them."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.