How is a refrigerator like a stoplight camera and a delivery drone?
Each of these devices and hundreds of millions of others are part of the internet of things (IoT), meaning that manufacturers are building them with sensors for their environment and connectivity to send information elsewhere. The places that information is sent can be as varied as the devices themselves. The refrigerator will show its data to its owners and likely send maintenance information to its manufacturer and retailer. The stoplight camera will send photos or video to the city traffic control office. The delivery drone will likely send data to the delivery recipient and the drone owner or retailer who sent it out.
As more of these devices are added into circulation every day, the risks increase that someone can hack into them and capture the data for nefarious purposes, ruin the data integrity or even use the connectivity to modify the functioning of the device itself. Many of the sensors and connective tools on these devices are small and have little room for extra functionality. They are often rushed to market to beat the competition. Manufacturers can easily skimp by building little or no security protection into them.
Forecasts suggest that the global market for Internet of things end-user solutions is expected to grow to around 1.6 trillion dollars by 2025, with more than 75 billion devices in the field receiving and sending data. These devices will control the buildings we live and work in, the equipment running our factories and warehouses, and the cars and trucks we drive.
With this knowledge, an otherwise largely dysfunctional U.S. Congress in an election year found that IoT security was a bipartisan issue ripe for the passage of legislation. Both Houses of Congress have now passed the consent the Internet of Things Cybersecurity Improvement Act which has been sent to the White House for the President’s signature, recognizing that developing a secure IoT is a matter of national security.
The Act instructs the National Institute for Standards and Technology (NIST) to oversee the creation of IoT security standards, and limits Federal agencies and contractors to only use devices that meet the cybersecurity standards prescribed by NIST and to notify specified agencies of known vulnerabilities affecting IoT devices they use.
According to Forbes, “The bill was written in response to major distributed denial of service (DDoS) attacks, including one in 2016 in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, orchestrating their use in overwhelming and disrupting commercial web services. The threat hit closer to home for the federal government in 2017 when it was discovered that Chinese-made internet-connected security cameras were using previously undetected communications backdoors to “call home” to their manufacturers, presenting a risk that what was visible to a camera’s lens was also visible to our geopolitical rivals.” Last year, Congress prohibited the use of Chinese cameras in Department of Defense facilities.
Commentators expect that the IoT standards published by NIST pursuant to this Act will also influence the purchase of IoT devices in the private sector. Manufacturers wanting to address both markets will raise the bar on security for everyone, and lawsuits against security lapses can use the NIST standards as a baseline for corporate negligence. The requirements in the Act are also likely to ultimately reduce the costs of IoT security as more manufacturers develop their own standards and supply chains supporting this goal.
As the many devices in our lives become deeply interconnected, it is good to see a serious push for security in this space.