Is the third time the charm for the US Internet of Things Cyber-Security Improvement Act of 2019?
A few weeks ago, Zion Williamson of Duke University, the top US college basketball prospect, was barely 30 seconds into a game against arch-rival North Carolina when his left Nike PG 2.5 sneaker (retail: $350) exploded. As in blew out, ripped, blew up, tore, split in half, “bricked,” in the schoolyard vernacular. Williamson wasn’t seriously injured but suffered a mild sprain and sat out the rest of the game.
The PG 2.5, as every cool kid knows, is a self-tightening sneaker straight out of “Back to the Future II” that contains smartphone-grade electronics and can be controlled via an Android or iPhone app. Other users had been complaining that the app wasn’t syncing with both shoes but Nike had not quite gotten around to fixing the glitch and updating. As a result, a $100 million basketball player could easily have damaged his career.
The incident was embarrassing for Nike and briefly brought the company’s stock value down but—more importantly—it was a useful reminder to technologists and their enablers that a world in which everything that can be connected to the internet likely will be is a world where unintended consequences are going to occur—with both hilarious and deadly serious results.
The notion that billions of devices – of varying degrees of usefulness and levels of security – are going to be happily connected together and constantly working to make the lives of human beings a bit easier and more rewarding is fairly ludicrous on the surface.
What all these devices and objects and sensors and sneakers are doing is creating an enormous playground for hackers, who will continue to probe the connections between low-power, dumb devices and critical infrastructure to create Distributed Destruction of Service (DDoS) attacks that employ swarms of poorly-protected consumer devices to attack public infrastructure through massively coordinated misuse of communication channels.
While these devices, and the data they collect and transmit, potentially present enormous benefits to consumers and industry, the relative insecurity of many devices presents unpredictable challenges. Sometimes shipped with factory-set, hardcoded passwords and often unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack
Hacker-created IoT botnets can direct enormous swarms of connected sensors like thermostats or sprinkler controllers to cause damaging and unpredictable spikes in infrastructure use, leading to things like power surges or reduced availability of critical infrastructure on a city or state-wide level. See the infamous Mirai hack of 2016 for a look at how destructive a well-planned IoT attack can be.
Welcome to the Internet of Things, which has the potential to be almost as great and amazing as the marketers say it will be, but right now feels a bit like the Wild Wild West before the new marshal arrives in town. Gartner says there will be more than 20 billion IoT devices in the world in 2020.
It’s a crowded, dangerous world and one that raises an existential question: Does a Barbie Doll really need to be connected to the internet?
There is plenty of skepticism about IoT going around. Stories about strangers hacking into baby monitors and talking weird to infants have created a rightful mistrust in the general public. I, for one, don’t want my refrigerator to know I ate the last piece of chocolate cake. So wacky has a lot of this become that one bright fellow has even created a Twitter account called @internetofshit which tracks the more ridiculous ideas for connected products. It has almost 380,000 followers.
Help is on the way…maybe
Senators Mark Warner (D-Va.), who is as close to being the Marshal Dillon of the internet as we have in the US Congress, and Cory Gardner (R-Colo.) last week re-introduced a bill aimed at improving the cyber-security of Internet-connected technologies ranging from connected cars and medical devices to cameras and speakers. Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Tex.) introduced a companion bill in the House.
The bill, which Warner and Gardner first introduced in 2017, would require the Commerce Department to write voluntary standards for how the industry can securely develop and maintain those devices but mandates that government agencies and their contractors abide by those standards. It would also urge Internet of Things manufacturers to co-operate on finding and alerting people about hackable computer bugs in their products.
The current bill, supported by members of both parties and known as the Internet of Things Cyber-security Improvement Act of 2019 , eschews specific recommendations and instead calls for the National Institute of Standards and Technology (NIST) to develop security guidelines for IoT devices sold to the US government. Senator Warner said :
Governments can exert some influence over the internet within their borders without being authoritarian—if they act in a way that protects citizens from cybersecurity threats, such as identity theft or computer hacking—provided those actions are also backed by democratic laws and procedures that prevent the abuse of power (e.g., using cyberinsecurity as an excuse for censorship).
While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security. This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.
Specifically, the Internet of Things Cybersecurity Improvement Act of 2019 would:
- Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
- Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
- Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
- Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
- Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies so that if a vulnerability is uncovered, that information is disseminated.
Billions of lightly secured, easily discoverable devices and toys connected to the internet. What could possibly go wrong?
It is perhaps an indication of how seriously US regulators are taking the IoT threat that this is the third year in a row in which the same bill has been introduced. It may have a better chance this year since it leaves it to NIST to develop the rules rather than spelling them out in detail.
With luck, manufacturers will quickly discover that there isn’t a huge market for “smart” sex toys and nagging lawn mowers and toilets that ping you if you forget to flush and cute little cameras that let you see the world from your baby’s perspective. Perhaps, we’ll even find that many basketball players still like to tie their own shoes.
Looking Down Under for a Back Door
The whole thing becomes considerably less funny when you consider that the most likely suspects in the deadly crashes of the two new Boeing 737 Max 8 are the sensors and software that automatically points the nose down when it thinks the aircraft is about to stall.
Image credit - Nike