Progress in the Internet of Things
I write this on the Ides of March, a day historically associated with warnings to Beware, which is certainly a common theme in these monthly updates. Particularly, we’ve discussed the risks associated with the Internet of Things: the collection of billions of devices other than computers that are connected to the Internet. In this series we have covered everything from hacks against home assistants like Alexa and Siri to the weaponization of hot tubs (see our January 2019 update.) This month, though, I am happy to report on some potential progress in this area.
Today there are no standards governing how IoT devices are secured. There is no requirement to allow password changes or patches to unsecure code, for example. In a cost-competitive environment, manufacturers have little incentive to spend the extra time or money to secure the devices they sell, and thus far consumer pressure has not moved the market. However, there is some good news. As reported in many outlets, a bipartisan group of Senators and Representatives has introduced a resolution called the Internet of Things (IoT) Cybersecurity Improvement of 2019. Among the things the law would require:
- Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing secure development, identity management, patching and configuration of IoT devices.
- Direct the Office of Management and Budget (OMB) to issue guidelines for governmental agencies that are consistent with the NIST recommendations.
- Require any Internet-connected devices purchased by the federal government to comply with these recommendations.
- Direct NIST to interact with cybersecurity researchers and industry experts to publish guidelines to ensure that vulnerabilities related to agency devices are addressed.
- Require contractors and vendors providing IoT devices to the federal government to adopt coordinated vulnerability disclosure policies.
It’s not clear that this legislation will pass, but if nothing else it’s a sign that the issue is starting to get noticed, and the perhaps some help is on the horizon.
About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit fitnyc.edu/cybersafe and stay tuned for emails from [email protected] for the latest from the Cybersafe campaign at FIT.
-Walter Kerner
Assistant Vice-President and Chief Information Security Officer