Cybersecurity experts build new IoT law
The bill would increase protection for the billions of "government-owned or controlled" appliances in homes and businesses.
President Donald Trump signed the Internet of Things Cybersecurity Development Act into law this month, coding what many cybersecurity experts have long demanded - more security protection for billions of IoT devices flooding of homes and businesses.
In the last few years, several items and home appliances have been converted to internet-connected devices, with some estimates predicting 41.6 billion IoT devices in the field by 2025 and over $ 1 trillion spent on them by 2023.
This bill calls on the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specific steps to increase cybersecurity for Internet of Things (IoT) devices.
SEE: 5 Internet of Things (IoT) Innovations (Free PDF) (TechRepublic)
The explosion and expansion of IoT devices into everyday life has coincided with an increase in devastating attacks that reduce insecurity in order to do as much damage as possible, especially on seen by Mirai botnet attacks in 2016.
Brad Ree, CTO of the ioXt Alliance, will work with government agencies, manufacturers and major tech companies to create universal security standards for connected devices across product segments.
In an interview he called the law a "major milestone for the industry" and said it was important that the public and private sectors could come together and create a set of minimum security requirements.
“While this bill is aimed at government purchasing, I fully expect network operators, consumer ecosystems, and retailers to continue to have similar requirements for consumer products. , "he said.
Andrea Carcano and Edgard Capdevielle, co-founder and CEO of IoT cybersecurity company Nozomi Networks, saw the law as an important first step in ensuring that IoT device manufacturers improve the security of their products.
The company recently released a search in the first six months of this year, hackers used IoT botnets and hacked ransomware devices as their weapons for targeting IoT devices in networks operating.
“While the hard work of improving device standards has not been completed, NIST’s involvement will help drive the global adoption of IoT device security standards that we believe will go a long way. improve the security of overall business and critical infrastructure, "said Capdevielle.
The IoT device security bill calls for the creation of standards and guidelines to manage cybersecurity threats: Secure development, Identity management, Patching, configuration management. He also directs NIST to work with the U.S. Department of Homeland Security, along with cybersecurity researchers and private sector industry experts to publish guidelines for reporting and curing vulnerabilities.
Chloé Messdaghi, VP of strategy for Point3 Security, said the cybersecurity industry was excited about the law because it required standards for all government-acquired IoT devices, which essentially mandate that its -every redesigned IoT device meets cybersecurity standards.
The law will also force government agencies to purchase IoT devices to run Vulnerable Publication Programs - something she said CISA was trying to dictate.
"Vulnerability disclosure policies are an important tool in strengthening organizational cybersecurity."
Vdoo is a platform that uses AI to detect and repair vulnerabilities in IoT devices, and its vice president, Yaniv Nissenboim, said he expects federal agencies to swiftly adopt the new set of NIST guidelines and urge compliance results.
He also expressed hope that the law would have a mitigating effect and force state governments to follow suit. At the same time, this would make the IoT device industry prioritize cybersecurity.
"Non-compliant companies may exclude from profit target markets for their IoT devices at some point. We expect similar rules and standards to emerge outside the market. USA too, "Nissenboim said.
Former CIA Intelligence Officer and KnowBe4 senior vice president of cyber activity Rosa Smothers also noted that the law requires Homeland Security to review IoT device security recommendations up to every five years as the surface of the attack growth.
“In my opinion, the greatest potential impact of HR 1668 is the mandate that government contractors who develop or are vendors of IoT devices must implement a program to account. vulnerabilities and remedies; as the federal government is the largest buyer of goods in the United States, this requirement can have a ripple effect across the private sector, "said Smothers.
IoT security concerns long ago
Cybersecurity experts have long complained that IoT device makers were not doing enough, or anything, to get devices that could allow hackers to access a network total.
Lou Morentin, vice president of compliance and risk management at Cerberus Sentinel, said that little thought has been given to device security and the technology embedded in each new version of these devices has given new leaps in functionality and easy to use but came with a cost.
"Because many of these IoT devices lacked security controls, they could access networks and data. Many of these devices found their way into secure environments such as the Department of Defense and healthcare," For example, the technological leaps may also cause vendors to abandon equipment that favors the latest and greatest version, leaving many devices vulnerable in the country. built in; they were selling products, "Morentin said.
"Unfortunately, this provided a gateway for malicious actors to harm consumers and now government and business environments to destroy data. By asking manufacturers a level of security request, this may help to at least slow down or, in some cases, prevent the compromise of confidential data. "
He explained that some states, such as California, are trying to force retailers to start with some basic security features in IoT devices. But laws at the national level force manufacturers who want to build a security board seat into their appliances.
Stefano De Blasi, a threat researcher at Digital Shadows, said the rise of 5G would undoubtedly trigger an even bigger explosion of IoT devices. But connecting these devices to private corporate networks expands the surface of attack and reveals sensitive data such as medical records, personally identifiable information, and workplace plans.
"One of the main problems with IoT security right now is that the rush to market often prioritises security measures that need to be integrated into our devices. This case has made many IoT devices as low - hanging fruit for criminals interested in data theft and access to open networks, "he said.
"Criminals can exploit vulnerable products by harnessing their computing power, and launching massive IoT botnet campaigns to block traffic on targeted services and to spread malware. This act not only raises awareness of this crucial security issue, but also sets an important precedent that can - and should - encourage other countries and organizations to pursue it. "
IoT devices are less vulnerable to security vulnerabilities than traditional web or mobile applications, said Peter Monahan, director of global solutions architecture at WhiteHat Security.
Most IoT applications are designed to interact with any number of APIs, which may be equally vulnerable to security vulnerabilities, but which are often developed and distributed by external third parties.
"This poses a significant challenge in summarizing the overall security situation of any particular device, depending on what it intends to implement by the federal government," he said.
Expansion outside of government machines?
The bill was not without its critics. Some experts questioned why the act was limited to just government-owned or controlled equipment and not to the industry as a whole.
Terence Jackson, chief information security officer at Thycotic, said that while IoT devices used on government networks are important, legislation prescribing the security of all IoT devices would have gone further in their approach. more complete in terms of IoT device security.
"This may generate more sales for companies as they may introduce more cost-effective IoT-level devices for the Government. It will be interesting to see if companies improve the security of their consumer-level products as a result of the status, "Jackson notes.
The diversity of IoT device capabilities and price points is now putting pressure on manufacturers to rip devices to market, forcing companies to frequently cut corners, especially with cybersecurity, according to Chris Hazelton , director of security solutions at Lookout.
There are now hundreds of millions of devices out there in the country with only basic passwords, he explained, creating a huge attack surface for any organization that uses and relies on the those connected devices, he said.
Hazelton noted that NIST has previously implemented guidelines for implementing mobile security for smartphones and even generally accepted tablets, including outside government such as sports teams professional.
The hope, he said, is that the same thing will happen for IoT devices now that the law has been passed and signed.