A 'seal of approval' for IoT security?
- By Matt Leonard
- Feb 16, 2018
To ensure internet-of-things devices meet basic security standards, Sen. Edward J. Markey (D-Mass.) and Rep. Ted Lieu (D-Calif.) want a label – like the Energy Star seal – that would indicate to buyers that IoT devices meet certain cybersecurity requirements.
The Cyber Shield Act of 2017, introduced October 2017, would create an advisory committee to set the cyber and data security standards products would have to meet to receive the seal. The committee members would be chosen by the Secretary of Commerce from industry, academia, consumer advocates and the federal government, Markey said.
“This would help consumers ID products that meet certain standards,” Markey told a crowd at an event hosted by the American Enterprise Institute.
The program would incorporate existing data security benchmarks would address the sensitivity of the information collected, transmitted or stored by IoT devices as well as their functionality. The labels could be digital, and there could be different grades that display the extent to which a product meets the cybersecurity and data security benchmarks, according to the bill's text.
The voluntary program would not create a mandate for these standards, but it would be a way for manufacturers to show they’re following best practices, the lawmakers said.
The advisory committee would have two years to develop the standards and benchmarks. The Commerce Department's inspector general would be tasked with ensuring the benchmarks keep pace with changing technology and practices.
“It’s meant to be a living, breathing process that will change over time as technology continues to change,” Lieu said.
The public sector has been integrating IoT devices, especially the local level as governments look to use sensors to monitor air quality, build flood alert systems and improve farming practices. For example, Pittsburgh hopes its smart spine of connected sensors can increase efficiency within the city’s transit system by better managing the timing of traffic lights and crosswalk signals. Other cities – including Columbus, Ohio, Atlanta, Philadelphia and Kansas City, Mo. -- are experimenting on a broad scale with IoT-enabled smart city technology.
Chris Calabrese, the vice president for policy at the Center for Democracy and Technology, said government technology buyers would benefit from this kind of seal.
“To the extent that the public sector are consumers, obviously they benefit from products that work and work safety,” Calabrese told GCN.
Governments could also use this seal as a baseline for rules they create, or could commit to only buying products that meet the baseline set by the seal, Calabrese said.
Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) introduced a similar bill last year that would create these kinds of requirements for devices purchased by the federal government. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require vendors to “ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements,” according to a statement by Warner.
“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices,” Warner said in a statement about the legislation.
Attention to IoT security has been heating up. Federal agencies including the National Institute for Standards and Technology and the Federal Trade Commission have been working to address securely managing IoT devices.
Released Feb. 14, NIST's draft "Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT)” is meant to help create cybersecurity standards for IoT. It starts with the basics of defining what IoT encompasses, goes through some existing standards and points to areas where standards are still needed.
The FTC, meanwhile, held a competition last year to develop tools that would address security vulnerabilities caused by out-of-date software in home-based IoT devices. The winner of the IoT Home Inspector Challenge proposed a mobile app-based tool that helps users manage the IoT devices in their homes by allowing them to scan their home Wi-Fi and Bluetooth networks to identify and inventory connected devices. The app would then flag devices with out-of-date software and other common vulnerabilities and provide instructions on how to update each device's software and fix other vulnerabilities.
Matt Leonard is a former reporter for GCN.