Is the government worried about smart coffee pots taking down the West Wing?

Ten years ago you didn’t have to worry about someone hacking your refrigerator. Today, your personal home assistant is quite literally listening to your every move. Experts believe that in just a few years, there will be over 20 billion devices connected to the internet with the possibility of being compromised by an attacker due to the lack of security built into these devices.

It comes as no surprise that, as IoT devices proliferate, attackers are increasingly looking to exploit them. Large-scale events (like last October’s DDoS attack targeting systems operated by Dyn) and warnings from security experts finally have government officials paying attention.

Think of it this way: A government employee connects a smart coffee machine into the same WiFi network that his or her computer is connected to (though manufacturers of smart coffee machines often instruct that these devices should be connected to their own isolated WiFi network so that in case this particular network is breached, it will not harm any other devices). Shortly after, an attacker targets the network. The coffee machine does not have anti-virus software installed, or any type of security for that matter, so it becomes infected. Soon, the entire network will be compromised. 

So, a coffee pot can infect the West Wing’s network with ransomware?

It’s not likely, but it’s certainly possible.

Days ago, the federal government introduced the Internet of Things Cybersecurity Improvement Act, an initiative designed to set security standards for the government’s purchase of IoT devices.

The government doesn’t often involve itself in manufacturing decisions so that they steer clear of stifling innovation. However, IoT security is now a matter of national security. Senators Mark Warner (D-Va.) and Cory Gardner (R-Colo.) are spearheading the effort to require companies that sell wearables, security cameras, sensors and other web-connected tools to federal agencies to adhere to stricter security regulations.

And while it is good news that IoT-device security issues are getting more attention, the proposed bill would only impose security regulations on devices sold to federal agencies, not to devices sold to consumers.

A lot of questions

This raises a lot of questions concerning consumer IoT-device security in the United States. How will independent consumers benefit from the security features and enhancements that would be required of products being sold to the federal government? Will all vendors of IoT products be held to the same standards, even if the products are not purchased by the federal government? Can vendors pick and choose what models are sold to the government and to consumers? Will there be a standard requirement for all goods and technology sold in the United States, especially for those devices in which personal data is collected? 

This bill should challenge consumers and vendors alike. We are aware of the true danger IoT devices can create beyond the computer; they can control systems in the real world. Too often, security is an afterthought instead of a partner in decision-making and building of products we have grown to enjoy as consumers; since the adoption of IoT devices is on the rise, manufactures are competing to stay ahead. This means creating cheap products quick – which means overlooking security measures. 

As a result, consumers sacrifice their security and privacy for the convenience and enjoyment of a product and service. Instead, we should challenge ourselves and ask if the convenience is worth the risk and compromise. We should demand that creators and innovators of IoT devices should consider security a top priority. 

White hats can pass

Another interesting part of this proposed bill is the cover it provides to researchers. If passed, the bill will “exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.”

This means security researchers would be given more freedom in “good-faith” to explore IoT devices for vulnerabilities through white hat hacking and other means. As a result, more researchers will be able to ethically disclose more discovered compromises and security concerns.

Right now, we have to ask ourselves whether this bill is a long-term plan and strategy to keep security requirements and validation in sync with rapidly growing technology, or a problem that we will have to keep monitoring and fixing. Answers to these questions will come with time, and unfortunately, trial and error.

 

———

This article originally appeared on August 8 – https://readwrite.com/2017/08/08/government-cybersecurity-iot-dl1. 

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Recorded Webinars

Analyst Reports

Innovation Labs

Documentation

Support Portal

Events & Webinars

Events

Webinars

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Leadership

Newsroom

Careers

Contact