The 2010s have seen the internet manifest not only in phones, but in everyday products such as refrigerators, locks, thermostats, and even toys. However, with advances in technology comes more vulnerabilities. From glaring vulnerabilities in children’s toys to attackers taking control of IoT security cameras, IoT companies have come under scrutiny for not doing enough to secure their technological products, which is reflected in a poll where 90% of consumers wanted their devices to come with built-in security features.
The Senate Cybersecurity Caucus’ Response
Such calls have not gone unnoticed on the governmental level, as the Government Accountability Office (GAO) published a report that recommends “enhanced assessments and guidance” to address the Department of Defense’s (DoD) security risks.
On August 1st, 2017, Senators Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-OR), and Steve Daines (R-MT), the former two being co-chairs of the Senate Cybersecurity Caucus, introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. The proposed legislation would require that “vendors who supply the US government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements.”
The Senators stated in an official press release that the bill “Also promotes security research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers abiding by those policies.”
The Cyber Shield Program
A similar, albeit bicameral, legislation was introduced on October 26th, 2017, by Senator Edward Markey (D-MA) and Congressman Ted Lieu (D-CA) called the Cyber Shield Act of 2017. The act aims to “establish a voluntary program to identify and promote Internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures and processes.”
Section 4 of the Act includes provisions for a Cyber Shield Program, which will identify and certify covered products with superior cybersecurity and data security through the application of Cyber Shield labels. The labels applied will come in the form of different grades depending on the extent to which a product meets cybersecurity and data security benchmarks.
Under the provisions of the Act, a Cyber Shield Advisory Committee is to be established by the Secretary of Commerce. The Advisory Committee will be composed of members appointed by the Secretary from among individuals who are specially qualified to serve based on their training.
The Secretary will be responsible for establishing the benchmarks, promote technologies that are compliant with those benchmarks, and work to enhance public awareness of the Cyber Shield label, through efforts such as public outreach, education, research and development, and other means. The Secretary will also consult the Secretary of Health and Human Services, the Commissioner of Food and Drugs, the Secretary of Homeland Security, and other federal agencies in carrying out the Cyber Shield Program.
During the press release, Senator Markey commented that IoT will also stand for “Internet of Threats unless we put in place appropriate security safeguards.” Citing as many as 50 billion IoT devices projected to be in consumers’ pockets and homes by 2020, Markey believes that “cybersecurity will continue to pose a direct threat to economic prosperity, privacy, and our nation’s security.”
The Effectiveness of the Legislation
The introduction of the Cyber Shield Act is an acknowledgement that people, or at least Senator Markey and Congressmen Lieu, are finally beginning to take the long-ignored issue of IoT vulnerabilities seriously. However, considering that the program’s adoption is voluntary, there is no effective mechanism of control to ensure the participation and accountability of the IoT manufacturers.
The timeframe, which would consist of up to 90 days from the enactment of the Act to establish the Advisory Committee, and up to 2 years to complete the benchmarks, with 60 days completion for the benchmarks to take effect, would likely result in outdated benchmarks and guidelines. Technology guidelines in 2017 might not be able to address the growing needs of the innovations of 2019 and beyond.
There is also existing legislation, such as the previously mentioned IoT Cybersecurity Improvement Act of 2017, which requires manufacturers and contractors to ensure, through written certification, that their devices are secured, have no known vulnerabilities or defects listed in the national database, and can be updated securely in the future. Should a vulnerability surface, the contractor must notify the government agency that purchased the device.
So far, there are no criminal repercussions if a contractor fails to meet the requirements of the act. Moreover, the IoT Cybersecurity Improvement Act only deals with US government uses of IoT devices, although Chantelle Dubois of All About Circuits mentions that it could encourage manufacturers to adhere to federally mandated standards for general consumer products as well.
Similarly, while the Cyber Shield Act does have its flaws in that the implementation might not be timely enough and that there is no feasible way of enforcing the voluntary program, at the very least, the legislation will add to the increasing awareness of security issues and vulnerabilities in IoT devices and services.