IOT Security up for Grabs

IOT

The Internet of Things has been a buzzing topic for the past two years.  Smart cars, smart appliances, home audio assistants like Google Home and Alexa, and much more. However, the security of these devices has been under recent scrutiny and has led to constant debate between companies, lawmakers, and citizens.   

Photo by: geralt via pixabay

 

The Internet of Things can be hacked.

Senators Steve Daines (R-MT), Cory Gardner (R-CO), Mark Warner (D-VA), and Ron Wyden (D-OR) have presented a bill, named the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, that hopes to confront potential problems.  

There are two main provisions in the bill.  One is the proposal of new procurement requirements on the government and grants associated oversight authority to the Office of Management and Budget.  What this means is that when a connected internet device is purchased by the government, the particular vendor must divulge if there are any known security vulnerabilities.  If they do not comply then each vendor will need to get a special exemption.  

The second caveat is an exemption for research to existing statutes like the Computer Fraud and Abuse Act and Digital Millennium Copyright Act.  The computer research community has been pushing for this type of measure for quite some time now.  

It should be said that there are some gray areas in the bill, as manifested in this brief prologue-To provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes.  

The bill states, “Internet-connected device” is any physical object “capable of connecting to and in regular connection with the Internet” that “can collect, send, or receive data.” That means all smartphones, tablets, and laptops are lumped in, not simply just IoT devices, but all devices capable of internet connection.    

There were also questions raised pertaining to determining which researchers will be protected.  The bill states that persons “in good faith, engaged in researching the cybersecurity of an Internet-connected device of the class, model, or type provided by a contractor to a department or agency of the United States,” as long as said researchers “acted in compliance with the guidelines required to be issued by the National Protection and Programs Directorate” of the Department of Homeland Security (DHS).

The definition of “responsible disclosure” is the crux of the issue here so far as who should be told about any discovered vulnerabilities and on what timelines.

It appears that confusion is at center stage here, at least as far as private companies and researchers go.