Is the U.S. finally about to take IoT security seriously?
Does IoT stand for “internet of threats”? One senator says it might soon, and warned that the internet of things could “pose a direct threat to economic prosperity, privacy and our nation’s security.”
Indeed, security issues plaguing IoT devices have long been a concern, and last week congressional Democrats introduced a bill designed to help mitigate what are seen as widespread vulnerabilities. But while the effort is noble and may help raise awareness of the issues, there are lots of reasons why the Cyber Shield Act of 2017 won’t end up doing much to actually solve the problem.
What’s in the Cyber Shield Act of 2017
The bill, in the works for months and introduced by Sen. Edward J. Markey of Massachusetts (who made the “internet of threats” quip in a statement) and Rep. Ted W. Lieu from Los Angeles, calls for a voluntary scheme to evaluate, certify and label IoT devices that meet certain benchmarks for internet and data security. The idea is to create a Cyber Shield Advisory Committee made up of industry representatives, cybersecurity experts, public interest advocates and government wonks. Reporting to the secretary of commerce (currently Wilbur Ross), the committee would have a year to establish the content and format of the proposed IoT device labels.
It’s a good idea, really. After all, the best time to secure an IoT device is before it gets deployed, and a cybersecurity seal of approval could theoretically help warn consumers away from the most vulnerable choices.
Why it probably won’t work
But even assuming the bill were to be enacted — which hardly seems likely for a consumer-oriented Democratic bill floated during the Trump administration — it’s difficult to see how it would make a real difference.
Also in Network World: 5 reasons why device makers cannot secure the IoT platform
First, despite all those “experts” populating the committee, it could be very difficult for everyone to agree on exactly what constitutes better IoT security. That means they will likely end up with only the most obvious and generic recommendations—which could be woefully inadequate to protect against determined attacks. And it seems clear that cybersecurity threats develop much faster than Congress can move (the bill suggests updating the criteria every two years), making many of the benchmarks obsolete even before they’re established.
Perhaps most importantly, though, the program would be completely voluntary. Vendors could choose whether or not to participate, and it’s not clear who would vet the vendors’ claims of compliance. Similarly, consumers could very well choose to buy devices with bad ratings — or no certification at all — that offer low prices or compelling features. More to the point, would such a label bring value to enterprise IoT buyers?
Also in Network World: Fixing, upgrading and patching IoT devices can be a real nightmare
A better bet might be the bipartisan IoT Cybersecurity Improvement Act of 2017, introduced earlier in October, which would require IoT vendors selling into the government market to state that their products employ user-configurable passwords, can be patched when necessary and don’t include known vulnerabilities. While the government market isn’t critical to many IoT vendors, it could help spur the whole market to take security more seriously. And as a more limited bipartisan measure, it actually stands a snowball’s chance of making it into law.