IoT Cybersecurity Act of 2017: A Necessary But Insufficient Approach

The Mirai botnet attack on the DYN network in October 2016 highlighted to many policymakers the potential problems associated with IoT devices. The compromise and concerted use of thousands of webcams and DVRs to disrupt key Internet services focused attention on the poor implementation of security controls on millions of devices newly connected to the Internet.

The introduction of the IoT Cybersecurity Improvement Act of 2017 by a bipartisan group of US senators seeks to address the inherent threat IoT devices pose to federal government services. This bill builds on recent efforts, including the Trump administration’s new executive order on cyber security for federal networks and critical infrastructure.

The IoT Cybersecurity Improvement Act would require the Office of Management and Budget Director to confer with various cabinet and agency officials to define implementation guidance to ensure contracts that enable IoT installation in federal systems meet standards that allow for regular identification and patching of vulnerabilities found in deployed IoT devices across the federal government. The central concept of the bill is the requirement for contractors and agency heads to own the evolving security footprint of IoT devices deployed in their network. This approach is consistent with the Trump administration’s guidance for agency heads to be held responsible for the protection of their networks and critical systems and to include these devices as part of an overall assessment of risk.

While the bill requires contractors to assess deployed “internet connected devices” against vulnerability databases and recommend patching strategies, it does allow agency heads to apply for waivers in cases where devices with “severely limited functionality,” defined as Internet-connected devices with limited data processing and software functionality, can be exempted from the requirement if the executive agency deems it “economically impractical.”

For example, if an agency has deployed 10,000 smart lightbulbs and a vulnerability is found, the head of the organization would be able to request a waiver noting that those lightbulbs have limited functionality and would represent an “undue burden” to replace them with newer models (or push out a patch). It is reasonable for the government to carve out this exception. However, it does raise a fundamental issue. If most IoT devices, including small sensors, lightbulbs, etc., are individually cheap by design (e.g., to be competitively viable as compared to traditional devices), does the introduction of those devices pose an unacceptable risk to the federal agency? Or, in other words, is the agency willing to allow devices that could be used as a relay in a cyber campaign because the devices have “severely limited functionality”?

The bill addresses this problem through the requirement of a risk assessment. In this case, the bill attempts to leverage the current requirement for agencies to develop comprehensive risk frameworks as laid out in the May 11, 2017 US Cybersecurity Executive Order. Those requirements ensure agencies follow the NIST Cybersecurity Framework, which provides organizations with a set of best practices to identify and reduce their cybersecurity risk. This makes sense, yet neither the bill nor the NIST framework provide methodologies for conducting the actual risk assessment. Instead, agencies are left to design and implement their own approaches, which is useful but ultimately problematic, as an inconsistent set of definitions and criteria can be applied.

If IoT devices are structurally incentivized to not integrate robust security controls, and agencies can apply for exemptions to found vulnerabilities, and our application of risk assessment is immature to not fully grasp how those devices can be leveraged by hackers, how can we embrace evolving technology while at the same time protecting the most critical services provided by federal agencies?

The IoT Cybersecurity Improvement Act of 2017 would be a good piece of legislation, as it serves to move the ball forward in highlighting an area of weakness in federal network security. However, the inconsistent and immature processes by which we assess risk to our core services undermines its effectiveness.

Editor’s note: Prior to Dr. Harry’s appointment at the University of Maryland, he spent more than 14 years working in the federal government.

Dr. Charles Harry, Director of Operations, University of Maryland Global Initiative in Cybersecurity, Associate Research Professor in the School of Public Policy

[ISACA Now Blog]