[BreachExchange] Is the government worried about smart coffee pots taking down the West Wing?

[Destry Winant]

https://readwrite.com/2017/08/08/government-cybersecurity-iot-dl1/

Ten years ago you didn’t have to worry about someone hacking your
refrigerator. Today, your personal home assistant is quite literally
listening to your every move. Experts believe that in just a few
years, there will be over 20 billion devices connected to the internet
with the possibility of being compromised by an attacker due to the
lack of security built into these devices.

It comes as no surprise that, as IoT devices proliferate, attackers
are increasingly looking to exploit them. Large-scale events (like
last October’s DDoS attack targeting systems operated by Dyn) and
warnings from security experts finally have government officials
paying attention.

Think of it this way. A government employee connects a smart coffee
machine into the same WiFi network that his or her computer is
connected to (though manufacturers of smart coffee machines often
instruct that these devices should be connected to their own isolated
WiFi network so that in case this particular network is breached, it
will not harm any other devices). Shortly after, an attacker targets
the network. The coffee machine does not have anti-virus software
installed, or any type of security for that matter, so it becomes
infected. Soon, the entire network will be compromised.

So, a coffee pot can infect the West Wing’s network with ransomware?

It’s not likely, but it’s certainly possible.

Days ago, the federal government introduced the Internet of Things
Cybersecurity Improvement Act, an initiative designed to set security
standards for the government’s purchase of IoT devices.

The government doesn’t often involve itself in manufacturing decisions
so that they steer clear of stifling innovation. However, IoT security
is now a matter of national security. Senators Mark Warner (D-Va.) and
Cory Gardner (R-Colo.) are spearheading the effort to require
companies that sell wearables, security cameras, sensors and other
web-connected tools to federal agencies to adhere to stricter security
regulations.

And while it is good news that IoT-device security issues are getting
more attention, the proposed bill would only impose security
regulations on devices sold to federal agencies, not to devices sold
to consumers.

A lot of questions

This raises a lot of questions concerning consumer IoT-device security
in the United States. How will independent consumers benefit from the
security features and enhancements that would be required of products
being sold to the federal government? Will all vendors of IoT products
be held to the same standards, even if the products are not purchased
by the federal government? Can vendors pick and choose what models are
sold to the government and to consumers? Will there be a standard
requirement for all goods and technology sold in the United States,
especially for those devices in which personal data is collected?

This bill should challenge consumers and vendors alike. We are aware
of the true danger IoT devices can create beyond the computer; they
can control systems in the real world. Too often, security is an
afterthought instead of a partner in decision-making and building of
products we have grown to enjoy as consumers; since the adoption of
IoT devices is on the rise, manufactures are competing to stay ahead.
This means creating cheap products quick – which means overlooking
security measures.

As a result, consumers sacrifice their security and privacy for the
convenience and enjoyment of a product and service. Instead, we should
challenge ourselves and ask if the convenience is worth the risk and
compromise. We should demand that creators and innovators of IoT
devices should consider security a top priority.

White hats can pass

Another interesting part of this proposed bill is the cover it
provides to researchers. If passed, the bill will “exempt
cybersecurity researchers engaging in good-faith research from
liability under the Computer Fraud and Abuse Act and the Digital
Millennium Copyright Act when in engaged in research pursuant to
adopted coordinated vulnerability disclosure guidelines.”

This means security researchers would be given more freedom in
“good-faith” to explore IoT devices for vulnerabilities through white
hat hacking and other means. As a result, more researchers will be
able to ethically disclose more discovered compromises and security
concerns.

Right now, we have to ask ourselves whether this bill is a long-term
plan and strategy to keep security requirements and validation in sync
with rapidly growing technology, or a problem that we will have to
keep monitoring and fixing. Answers to these questions will come with
time, and unfortunately, trial and error.