Manufacturers of wireless devices used for Internet of Things (IoT) applications should take heed of new Trump Administration proposals aimed at reducing the cybersecurity threats from botnets and other automated and distributed attacks.
Following a year of public and internal discussions and inquiry, the Department of Commerce and Department of Homeland Security (DHS) recently issued a Final Report on the topic, “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.” The Report arises from the cybersecurity Executive Order issued by President Trump in May 2017, which required Commerce and DHS to lead a process to determine appropriate action to “dramatically reduc[e] threats perpetrated by automated and distributed attacks (e.g., botnets).”
The Report puts considerable pressure on device makers and software providers to make concrete progress in improving the security of IoT devices and software. Indeed, its first recommended action is the establishment of broadly accepted security baseline capabilities for IoT devices in home and industrial applications. The Report states unequivocally that vendors must not ship devices with known security flaws, incorporate a secure update mechanism into their products, and follow current best practices (including no hard-coded passwords) for system configuration and administration. Future products need to enhance the reliability and integrity of authentication processes by leveraging hardware roots of trust and other trusted execution technologies, which will require significant steps forward in education and awareness for product developers.
The Report sets out six themes related to cyber threats and the IoT ecosystem:
- Automated, distributed attacks are a global problem;
- Effective tools exist, but are not widely used;
- Products should be secured during all stages of the lifecycle;
- Awareness and education are needed;
- Market incentives should be more effectively aligned; and
- Automated, distributed attacks are an ecosystem-wide challenge.
The Report then identifies five principal goals aimed at dramatically reducing threats toward the IoT ecosystem:
- Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace;
- Promote innovation in the infrastructure for dynamic adaptation to evolving threats;
- Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks;
- Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world.; and
- Increase awareness and education across the ecosystem.
From these themes and goals, the Report recommended twenty-four actions to be taken by stakeholders – government, industry, and others – the most relevant of which for device manufacturers are outlined below.
Action 1.1. Using industry-led inclusive processes, establish internationally applicable capability baselines for IoT devices supporting lifecycle security for home and industrial applications founded on voluntary, industry-driven international standards. The rapid deployment of insecure IoT devices “has had the pernicious side effect of enabling cost-effective development of extremely large and widely distributed botnets.” Because of the exponential increase in IoT devices, the Internet and communications ecosystem must move away from reactive botnet mitigation activities and embrace a proactive and focused approach aimed at reducing known vulnerabilities of Internet-connected devices throughout the lifecycle. The Report calls for the development of industry-led performance-based security baselines covering the entire lifecycle of IoT devices, based upon voluntary standards, specifications, and security mechanisms.
Action 1.2. The federal government should leverage industry-developed capability baselines, where appropriate, in establishing capability baselines for IoT devices in U.S. government environments to meet federal security requirements, promote adoption of industry-led baselines, and accelerate international standardization. The Report recommends that the federal government use its procurement authority to encourage the development of more secure devices. It suggests that federal procurement guidelines be used to “amplify the market signal by requiring the capabilities in the baseline(s)” and to conform to private sector labeling (see Actions 5.1 and 5.2 below). It also directs the National Institute of Standards and Technology (NIST) to pinpoint minimum requirements for federal IoT devices and systems, determine the suitability of existing consensus industry baselines for federal users, create federal standards, and find industry partners that can help expedite the development of additional necessary baselines.
Action 1.3. Software development tools and processes to significantly reduce the incidence of security vulnerabilities in commercial-off-the-shelf software must be more widely adopted by industry. The federal government should collaborate with industry to encourage further enhancement and application of these practices and to improve marketplace adoption and accountability. Software developers should “significantly reduce the incidence of security vulnerabilities in commercial-off-the-shelf software” through wider adoption of development tools and processes to reduce the number of vulnerabilities, increase the detection of security flaws before product deployment, and limit meaningful exploitation of any vulnerabilities that could arise. The Report recommends that the federal government support industry adoption of secure coding tools to avoid security vulnerabilities created by common software bugs and take steps to promote secure software development. It also tasks the Commerce’s National Telecommunications and Information Administration (NTIA), which has previously led a multi-stakeholder process on software patching and upgrading for IoT devices, to lead an effort aimed at fostering greater software component transparency.
Action 3.2. Home IT and IoT products should be easy to understand and simple to use securely. This item recommends that industry “prioritize simple and straightforward deployment and configuration processes for devices marketed to home and small businesses,” such as forced updates to administrative passwords at installation, secure and intuitive default configurations, and automatic or easily managed installation of security patches.
Action 4.3. Sector-specific regulatory agencies, where relevant, should work with industry to ensure non-deceptive marketing and foster appropriate sector-specific security considerations. While acknowledging the limits of one-size-fits-all rules, the Report suggests that sector-specific regulatory agencies can promote ecosystem resilience by working with industry to ensure that the security of the products deployed is appropriate for the products’ use.
Action 5.1. The private sector should establish and administer voluntary informational tools for home IoT devices, supported by a scalable and cost-effective assessment process, that consumers can trust and intuitively understand. The action item recommends industry development, through a multi-stakeholder process convened by the federal government, of effective assessment and labelling of home IoT device security capabilities that may allow consumers to “make informed choices.” While it largely emphasizes industry-led efforts, it also suggests that agencies such as the Federal Trade Commission could have a role, through investigating deceptive marketing claims regarding security capabilities. (A separate item focuses on a public awareness campaign, established by the federal government, to promote understanding of home IoT device security baselines and branding.)
Action 5.2. The private sector should establish voluntary labeling schemes for industrial IoT applications, supported by a scalable and cost-effective assessment process, to offer sufficient assurance for critical infrastructure applications of IoT. The Report suggests that manufacturers of industrial IoT devices and applications should make efforts beyond the voluntary actions suggested for consumer devices in Action 5.1, to possibly to include establishing an evaluation process and an evaluated products list.
Next Steps. The Report envisions the development of a prioritized “roadmap” to coordinate the timing and management of efforts to implement its recommendations. Commerce and DHS, “in coordination with industry, civil society, and in consultation with international partners, will develop an initial road map with prioritized actions within 120 days after approval of this report.” The Report highlights recommendations regarding the establishment of IoT device security baselines and the promotion of effective software development tools as likely priority items.