Lawmakers in the U.S. and U.K. are readying new laws that will crack down on insecure Internet of Things devices in both the public and private sectors.
U.S. and U.K. governments are cracking the whip on Internet of Things (IoT) insecurity with new regulations aimed aimed at ensuring IoT devices are more secure both in the public and private sectors, respectively.
In the U.S., Congress has proposed legislation recently introduced in both the Senate (S.734) and the House (H.R. 1668) that seeks new security standards for IoT devices sold to government agencies from vendors and federal contractors.
As part of the legislation, the National Institute of Standards and Technology (NIST) is reviewing considerations for how to manage IoT cybersecurity risks in areas of secure development, identity management, patching and configuration management.
Meanwhile across the pond, lawmakers in the U.K. are calling for a more consumer-oriented law that would let consumers know how secure an IoT device is before they buy it, setting some baseline standards for the devices to ensure security.
The law would instate a program–voluntary at first but then mandatory if companies want to sell their products–that would put a label on IoT devices indicating the degree to which they meet the security requirements. That, in an effort to help inform consumers when purchasing.
Global IoT security epidemic
While the IoT continues to spread rapidly across the globe, security remains a thorn in the technology paradigm’s side. IoT devices remain inherently and even shockingly insecure, something that many believe should be up to device makers to fix.
There already have been a number of incidents in which IoT devices were compromised, most notably the Mirai botnet in 2016. Researchers agree the wide surface area of the IoT poses a cybersecurity threat due to its nebulous nature, with various connected devices communicating through largely unsecured wireless protocols.
The IoT’s explosive growth and its inherent necessity for new passwords for various devices also poses a huge security risk, according to a recent report. The research—a collaboration between Thycotic and Cybersecurity Ventures–estimated that there will be 300 billion passwords at risk of theft by 2020, driven by the IoT. There are currently about 8.2 passwords–or 95 per second–being stolen every day, researchers found.
Moreover, the report concluded that there is the potential for up to $6 trillion in cybercrime damages by 2021 due to the risk posed by the billions of passwords that will be online by then.
“As the market has grown, security appears to be given even less thought, or is outsourced to platform providers with even less expertise,” acknowledged Ken Munro, IoT cybersecurity expert and consultant at Pen Test Partners. “Yes, there are beacons of excellence, but consumers don’t have a clue how to determine which products have good security and which don’t.”
At the same time, there is no market pressure to be secure, so “manufacturers don’t know how assure consumers about security, even if they do a good job of it,” he said. “It’s just a mess.”
Regulation to the rescue
Lawmakers now plan to step in to make sense of the IoT security mess to ensure manufacturers convey the security of their products in a more effective way to avoid any damage–financial or otherwise–the persistent insecurity of devices might cause.
In the United States, regulators at the moment seem more concerned with IoT devices that are finding their way into the government through subcontractors than with cyber risk to consumers. Once NIST does its risk assessment, the standards body is charged with proposing recommendations for minimum security requirements for IoT devices by March 31, 2020.
Once this is accomplished, NIST has 180 days to publish guidance relating to policies and procedures for reporting, coordinating, publishing and receiving info on security vulnerabilities of devices used by the federal government–and how to resolve them. Federal government contractors and vendors must adhere to this guidance and, if they don’t, the federal government and its agencies won’t purchase and use their products.
The proposed U.K. law is similar in its “comply or die” sentiment in that once the labeling of a device’s IoT security becomes mandatory, companies can’t sell products that don’t prove they meet the minimum requirements of the law.
To get a label proving that an IoT device is up to snuff, devices must meet the following minimum requirements: they must come up with unique default passwords; state clearly the length of time security updates will be made available; and offer a contact at the vendor for disclosure of the product’s cybersecurity vulnerabilities.
The U.K. regulation isn’t the first time regulators overseas have moved to secure the IoT with password protection in mind. Earlier this year, the European Union aimed to end to default passwords for IoT devices through new technical specifications, dubbed TS 103 645 (PDF). The specs called for connected device makers to ban the use of default passwords for connected, consumer devices, as well as for them to make it easy for users to delete their personal data.