Admiral Dennis C. Blair, USN (Ret.) is the former U.S. Director of National Intelligence and Distinguished Senior Fellow (Non-Resident) at the Sasakawa Peace Foundation USA; Michael Chertoff is the former Secretary of the U.S. Department of Homeland Security; Arthur Coviello is Special Counsel at Wilmer Hale; and William “Bud” Roth is a Fellow (Non-Resident) at Sasakawa Peace Foundation USA.
The authors are the U.S. Commissioners of the Trilateral Cyber-Security Commission (TCSC), a project of the Sasakawa Peace Foundation USA. The TCSC was created to facilitate cooperation in the field of cybersecurity among the United States, Japan, and the European Union.
Follow Japan’s Lead on IoT Security
Experts predict the number of connected Internet-of-Thing (IoT) devices to more than double in five years to 25 billion. This explosive growth brings with it a substantial risk that cyber attackers will hack these devices to achieve a variety of mischief. While no device is completely secure, security experts point to IoT devices as particularly vulnerable to known exploitations. This is due, in large part, to manufacturers bringing commodity IoT devices to market at low prices by avoiding the additional costs of adequate security. Although a number of governmental and standards organizations—ETSI, ISO, Japan’s Ministry of Internal Affairs and Communications (“MIC”), and NIST—have issued or are developing voluntary security standards, there is a need for governments to step in and set minimum safety and security standards for consumer IoT devices sold in their markets. There is also value in other governments following MIC’s lead and instituting a program of scanning IoT devices connected to Japanese domestic networks to identify vulnerable devices.
Japan is conducting an interesting experiment directly relevant to IoT device security. The Diet amended Japan’s privacy laws to allow MIC to scan domestic ISPs’ networks for vulnerable IoT devices. The scan includes some basic password guessing to identify weakly secured devices. When MIC discovers a vulnerable IoT (or other device) on the network of a local internet service provider (ISP), MIC contacts the ISP and provides enough information for the ISP to inform the customer of the problem. While the customer must take action to fix or remove the insecure device, it is a commonsense solution that offers sizable security improvements. Other nations should look at similar efforts.
A second area to focus on is product standards. Privacy laws are spreading around the world—the EU’s General Data Protection Rule, the California Consumer Privacy Act, Japan’s Act on the Protection of Personal Information—as well as sector-specific industrial regulations such as the Health Insurance Portability and Accountability Act (“HIPAA”). These laws affect businesses and other regulated organizations that are deploying IoT devices in two ways: First, these laws apply directly to IoT devices that handle personal information (such as webcam images); second, organizations are liable for data breaches caused by compromise of vulnerable IoT devices deployed on their networks. IoT devices place them in a dilemma of cost and convenience versus security. Hospitals’ patients benefit greatly from networked medical IoT devices—from MRIs to more mundane health monitoring tools. However, the hospitals’ administrators and IT staff have little or no control over the quality of security protocols embedded in the very useful devices they purchase, and the insecurity of these devices risks both the health of patients, and liability for the hospital.
Currently, device developers often pay little heed to security concerns when building new tools. The rush to get to market first, price competition, and lack of familiarity with secure development best practices all contribute to the multitude of insecure devices arriving to market every day. Regulating users is not enough—it is time for government authorities to impose minimum security requirements on manufacturers of consumer (and medical) IoT devices. This is the only way to stem the tide of IoT products arriving to market with well-known vulnerabilities such as unencrypted authentication sessions, default passwords, and unpatched libraries.
The situation today for IoT devices is one more example of the interplay between product and workplace liability that has gone on since the Industrial Revolution. Securing the workplace against operational hazards cannot take place without attention being paid to the design and safety of machinery being used at work. The same is true for deployment of IoT devices—no amount of regulation on how users deploy IoT devices will fix the problem if IoT devices arrive with readily exploitable vulnerabilities built in. Right now, with the exception of a couple of FTC actions against faulty router manufacturers, no government authority is focused on this product problem.
It is time for regulators in the United States and other advanced economies to institute product standards for IoT devices that address minimum cybersecurity requirements. We recommend that these same regulators harmonize their requirements in order to simplify the task of developing secure IoT devices and thereby promote cross-border trade in the same.