The Yin-Yang of Cybersecurity Legislation – The Internet of Things Cybersecurity Act

istock 810600250

The dynamic of opposites permeates human culture: light and dark, push and pull, happy and sad, supply and demand, yin and yang. While we tend to prefer one over the other, the reality is that the tension between opposites is what makes them complementary. The same can be said of technology. We all know that quick and free access to information, regardless of economic status, is changing the world. But none of that would be possible without security safeguards like accountability and authentication. Without those, economics, capitalism, and even democracy itself are severely strained. Which is why security is a multi-billion dollar industry. 

The recent growth of the Internet of Things (IoT) is a case study of what happens when access and availability are not counterbalanced by security. The vast majority of IoT devices available today have been built with little to no thought for security, and yet they are being integrated into the fabric of our daily lives at an unprecedented rate. As a result, massive botnets like Mirai and Hajime composed of millions of compromised IoT devices managed to take down a significant segment of the Internet and affect hundreds of thousands of businesses around the world. Most security experts agree that these attacks are just the tip of the IoT-based cyberthreat iceberg, and that they represent an extraordinarily large attack vector built into our emerging digital economy. 

The Internet of Things Cybersecurity Act of 2017 Act is a noteworthy attempt to address these challenges before they escalate further. The proposed IoTCA bill gives the problem of security and control a good deal of attention, since solving the problem of authentication (people-to-machines, software-to-hardware, data-to-processes, etc.) would be almost analogous, in the Internet security world, to solving world peace.  

Over the next few years, billions more IoT devices will become part of our digital lives. If implemented properly, they could utterly transform business and society. However, their value will be limited by the degree to which we can trust their Authenticity – that they are what or who they claim to be. Though the IoTCA is not a silver bullet, it attempts to help reduce the level of obvious risks in a ballooning population of Internet-connected devices. 

Of course, like everything, even legislation is a two-edged sword. I’m concerned about any attempt to legislate vulnerabilities, in part because technology evolves so quickly. Trying to strike a balance between progress and protection can be a tricky business, much like trying to shoe a horse at full gallop. While the government should use its power of the purse – its contracting and procurement processes – to move the ball forward, it’s probably not practical, for example, to demand written “verification” or “certification” that an IoT product is vulnerability or defect free. Security is a moving target. Frankly, the best that such a certification could mean is that at the moment a device was analyzed it was free from any known defects or vulnerabilities and was not vulnerable to any attacks that the manufacturer knew about. Knowing how fast things change in cyberspace, however, such verifications are the digital equivalent of mayflies. 

Similarly, the IoTCA’s proposal to require “industry standard protocols,” however well intentioned, may have unintended consequences because of its potential impact to innovation. These sorts of things need to be developed with care. Standards take time for a good reason. Imposing them with the force of law may unintentionally stifle breakthrough solutions that might leapfrog current technologies. And in that case, everyone would lose. 

On the other hand, the proposed IoTCA legislation’s liability protection for those who are forthcoming about vulnerabilities is a breath of fresh air, especially compared to some of the critical infrastructure sectors that, for fear of regulatory fines, limit vulnerability disclosures. 

Likewise, the bill’s notation about the important role of “segmentation” reflected a sophisticated understanding of security strategy: When it comes to cybersecurity strategy, Segmentation is still king

Segmentation (limiting access based on need-to-know to those with authenticated credentials): 

  • Prevents breaches
  • Limits the potential scope of already-occurred compromises
  • Enables innovation by allowing experimentation and the adoption of promising technologies that might still be on the path toward optimal security 

The bill rightly encourages the adoption of segmentation strategies and architectures. This approach would intelligently allow IoT devices to be incorporated into the network while limiting their potential negative impact. Visibility into devices actively connected to the network also continues to be a challenge for most organizations. Which is why the bill’s “inventory of devices” requirement would help create an excellent starting point for companies or businesses to reference when selecting and operating IoT devices. Proper segmentation and monitoring would not only separate classes of devices and data, but would also allow administrators to pinpoint and isolate misbehaving devices, check them against an inventory, and then extend remediation to all related devices, and not just the one that had been identified. 

“Intentional design” is a strategy whereby vulnerabilities and potential attack vectors are identified and architected out of the network during the network architecture design phase, rather than relying exclusively on security technology. Segmentation is a fundamental part of such a design strategy. At Fortinet, we’re experimenting with a strategy called “Earned Trust,” where IoT devices would be allowed access based on their stated trust levels, but whose network behaviors would be automatically and actively monitored to ensure they are performing as advertised. If their behavior, or level of “earned trust” changes, the network could automatically adjust their access policies. At the same time, the level of monitoring or access for similar devices could be elevated while we determine if the observed behavior was an anomaly or endemic to an entire class of devices. 

Of course, the boom of IoT across its many classes (consumer, commercial, industrial) means that the majority of data is no longer contained inside traditional networks. Which means that securing only a few points within the network will no longer be good enough. Security strategies like segmentation need to be woven deep into the core of the network and at the same time expand out to the cloud, remote locations, and even end users. These security technologies need to be able to work as an integrated system to automatically identify, understand, and protect infrastructures from the massive attack surfaces and new attack vectors created by IoT across today’s – and tomorrow’s – increasingly distributed and elastic network environment. 

While the adoption and integration of IoT is going to require taking a fresh look at existing security solutions and strategies, the questions we need to ask about business goals, related risks, and risk mitigation haven’t changed. Network security not only needs to continue to actively prevent intrusions, it also needs to minimize the risk of serious breaches by reducing the time taken to detect and respond to new threats. Security solutions need to become better at collecting and sharing intelligence. They will need to be able to correlate indications of compromise and automatically coordinate a response to a threat or breach regardless of where it occurs or what attack vector was used. Given the scope and scale at which networks are evolving, achieving this will require a broad, powerful, and automated approach to security that many agencies and organizations do not yet have in place. 

I’d like to see a little more consultation with industry as this bill progresses. Businesses and even nations are staking their financial futures on the new digital economy. 

Back to the topic of synergistic opposites:

  • IoT represents a huge leap-forward in technology, making our lives and businesses more convenient and efficient.
  • Unsecure IoT will lead to the demise of the principles of accountability and trustworthiness – an inevitable slippery slide towards the rise of the machines.

Which is the truth?  Right now, they both are, in part.  But the good news is that, going forward, we can ensure that we maintain a healthy balance between the yin of ubiquitous IoT (and the convenient and instant access to information/services it represents), and the yang of holding it accountable to doing what we expect it to do, and nothing more, through authentication and the adoption of the principles of Earned Trust.