Thursday, August 3, 2017

There otta be a law?

I'm a little conflicted about this:
Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government’s purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely-perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyber attacks in 2016 that were fueled for the most part by poorly-secured “Internet of Things” (IoT) devices.
Mostly, I don't think that there should new new laws for almost anything.  But readers know that I've been ranting about the lousy security of the Internet of Things for a long time (I see you roll your eyes at me).
The IoT Cybersecurity Improvement Act of 2017 seeks to use the government’s buying power to signal the basic level of security that IoT devices sold to Uncle Sam will need to have. For example, the bill would require vendors of Internet-connected devices purchased by the federal government make sure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold.
This seems to me to be exactly the way to approach this.  The Fed.Gov buys a bunch of stuff, so much that they can (and often do - see FIPS 140) get companies to add security to their products.  After all, the Fed.Gov doesn't have to buy anyone's products if they don't think they're fit for purpose.  Since a lot of IoT products are based off of the same software stack, there's a good chance that a lot of consumer products would pick these up since it's cheaper for the companies to support a single stack for everything, rather than a government one and a consumer one.

And then IoT companies will start competing with pure consumer competitors based on security.

All in all, this seems like a reasonable approach.  It's a carrot, not a stick.  Hard to see how it would make things worse.


matism said...

Except that by the time the bill is passed, Democrats and Rove Republicans in Congress will add requirements which are dictated by their donors. Not that Bill Gates and Mark Zuckerberg and Eric Schmidt and the rest would have any intent to limit competition or anything like that...

Mike said...

This is a vastly better approach than the garbage they are pushing in FARs and DFARs requiring NIST 800-171 compliance this year for anyone supplying federal contracts. Those requirements make sense for a big defense contractor, and most of them already have IT systems that are close to being in compliance, but the requirements are flowed down to the small businesses that supply those big companies, and are incredibly burdensome. Mandatory network monitoring, incident reporting to the government, complicated IT processes that must be in place, hardware requirements - it's going to mean at least a full time IT person for a lot of companies that don't have one now. It's a huge increase in overhead, and it was all started as a response to the hack of the OPM. Typical response by government - they critically failed in their duty to safeguard the information they collected, and the solution is to put massive new regulations in place for companies that didn't do anything wrong.