The Senate is considering a bill that would force some serious changes in the way that vendors handle the security of the IoT devices they sell, but while the proposed law has strong bones, it should be clear by now that no amount of government regulation or intervention is going to fix this problem.
There is real potential in the IoT Cybersecurity Improvement Act of 2017. It dictates the inclusion in federal contracts of a number of clauses to address the most glaring IoT security weaknesses. Everyone knows by now how miserable the process of trying to update embedded devices can be. Many manufacturers consider IoT devices to be disposable and don’t expect customers to ever update them, so they don’t provide good update channels. Nor do many vendors even bother to produce patches when vulnerabilities are found in their products. Security is so far down the list of priorities for most IoT device makers that it’s barely even legible at the bottom of the page.
The new bill seeks to change that state of affairs by mandating that vendors not only certify that their products ship without any known vulnerabilities, but also that they include secure channels for receiving updates. Vendors also would be required to patch publicly disclosed vulnerabilities in a timely manner, a novel concept to be sure. If device manufacturers can’t comply with these requirements, then they’re not getting the federal government’s money, plain and simple. And the United States government has a significant pile of money, so the incentive for vendors to get their collective act together is powerful.
The buying power of the federal government is considerable, but it’s not enough to fix this problem singlehandedly.
As for whether this will work, we do have at least one historical example to look back on. Microsoft in the late 1990s and early 2000s was beset on all sides by security problems. The company’s software, both on the desktop and the server, was riddled with security flaws and researchers were having no problem finding them and reveled in publishing them. Microsoft was not good at responding to these disclosures, and some of the company’s larger customers, including the federal government, were telling Microsoft that if the situation didn’t change quickly, they would take their business elsewhere. So in January 2002 Bill Gates sent the now-famous Trustworthy Computing memo, telling everyone in the company that security was now job one. Thanks to the economic pressure applied by its customers, Microsoft didn’t just get religion on security, it became one of the faith’s chief evangelists.
But this isn’t that. Microsoft is one company and Gates had the power to call an all stop and turn everyone’s attention to security. The IoT industry includes an untold number of vendors, many of which don’t have formal software security teams, security response organizations, or any of the other infrastructure necessary to make the necessary changes. So some of them may just choose not to sell to the government and will go on selling to the rest of the market, which is plenty big. The buying power of the federal government is considerable, but it’s not enough to fix this problem singlehandedly. Not nearly.
It takes cooperation and collaboration to solve difficult security problems.
Digging IoT out of its security morass will require far more. Information security by its nature is a collective discipline. No one person, tool, vendor, or application is enough. It takes cooperation and collaboration to solve difficult security problems. Luckily, the security community has decades of experience solving those kinds of problems with exactly that kind of approach. Getting the IoT industry on a firm security footing will take a community effort, but not just from the security community. Security engineers can’t do any of this without the cooperation of the IoT vendors. The manufacturers hold all of the cards here and the security community can only get a seat at the table by invitation.
Change is difficult and it often comes only after the introduction of an external force. Now is the time for the security community to reach out to IoT manufacturers, government agencies, regulators, and any other entity with skin in this game and get involved. Whatever that cooperation looks like, the picture needs to start taking shape. We’ve seen what happens when vendors are left to their own devices, now let’s see how we can fix those devices. Together.