Proposed IoT Security Bill
Doesn't Go Far Enough
Earlier this month, four U.S. senators introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. This piece of legislation seeks to establish minimum cybersecurity standards for federally procured Internet of Things devices. It defines a device as a physical object that can connect to – and regularly connects with – the Internet and "has computer processing capabilities that can collect, send or receive data."
In a nutshell, the act would require vendors to certify that IoT devices they are selling to the U.S. government:
- have no known vulnerabilities;
- can be properly authenticated and updated in a trustworthy fashion;
- use current industry standards for communications, encryption, and interconnections;
- eliminate fixed passwords.
The act is a noble effort and may well pass. However, it won't adequately protect our nation's IoT devices because, all too often, a device has a software weakness unknown to the vendor. It's called a zero-day vulnerability. Hackers patiently and deliberately search for these holes because, once one is found, it can be exploited to access user information or infiltrate malware and spyware. Only after the user discovers the breach – which can take months if not years – can developers hurriedly develop a "patch" to repair the software's weak point.
To understand the severity of zero-day vulnerabilities, consider these statistics:
- A staggering 3,986 zero-day vulnerabilities were discovered in 2016.
- Nearly 30% of all malware attacks exploit zero-day vulnerabilities.
- Underlying IoT toolkits such as gSOAP have their own zero-day vulnerabilities, putting millions of IoT devices at risk.
- Malware signatures are changing so rapidly, it's impossible for intrusion-detection systems and antivirus software to recognize them.
Here's another drawback to the bill. As detailed in this article and this article and this report, quite often hacks are not the fault of the device. Human error, stolen credentials and poor patch management can also be the cause. In fact, the largest hack in U.S. government history – the Office of Personnel Management breach – was initiated when a hacker stole the credentials of a government contractor.
And, as a February 2017 report by the U.S. Government Accountability Office found, federal agencies "consistently fail to apply critical security patches on their systems in a timely manner, sometimes doing so years after the patch becomes available."
At Dispersive, we create software networks that feature highly advanced techniques that can help secure IoT devices from unauthorized access. It's technology that can change the way you use the Internet.
We welcome the chance to talk with you – or anyone in Congress who may be interested – about all this. To get the conversation started, just email us at firstname.lastname@example.org or call us at 1-844-403-5852.