A First Legislative Step in the IoT Security Battle
Despite appearances, there is some important bipartisan work afoot on Capitol Hill. On Aug. 1, Sens. Mark Warner, Cory Gardner, Ron Wyden and Steve Daines dropped the Internet of Things (IoT) Cybersecurity Improvements Act of 2017. The bill seeks to use the federal government’s purchasing power to drive much-needed cybersecurity improvements in internet-connected devices. In addition, the bill would amend the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act to encourage research on device vulnerabilities. These are important first steps in combating a large and growing menace from billions of poorly secured devices.
Warner and Gardner are co-chairs of the Senate Cybersecurity Caucus, and Warner in particular has been sounding the alarm on IoT vulnerabilities for some time. Our penchant for expecting that just about everything—items as varied as children’s toys, household appliances and vibrators—will be internet-accessible has reached dangerous proportions. There are billions of unsecured or grossly under-secured internet-connected devices globally, a number widely expected to reach 20 billion by the end of this decade. Last year’s Mirai denial-of-service attacks were a public demonstration of a threat that stands to grow unless IoT devices are made more secure.
The heart of the proposed legislation is a series of contractual obligations placed on government vendors of “Internet-connected devices.” New guidelines issued by the director of the Office of Management and Budget—in consultation with the secretaries of defense, commerce and homeland security as well as the head of the General Services Administration—would require five new clauses in “any contract . . . for the acquisition of Internet-connected devices.” Given the vast array of products the government buys, and the broad definition of “Internet-connected device” in the bill, the proposed legislation could impose a common-sense set of minimum security standards across a wide swath of the IoT.
The new contractual clauses would force manufacturers seeking to sell to the federal government to close the most obvious security holes in internet-connected devices. The clauses would cover the government’s purchase of any “physical object” that is “capable of connecting to and is in regular connection with the Internet; and has computer processing capabilities that can collect, send, or receive data.” This includes products from the lowliest sensor to laptops and mobile devices.
The bill would require vendors to:
- Certify that the “hardware, firmware or software” in a device contains no known security vulnerabilities; can accept authenticated updates; uses current industry-standard protocols for communications, encryption and interconnection with other devices; and has security mechanisms for remote administration of the device that can themselves be updated in response to threats and breaches;
- Notify the purchasing agency of any new software or firmware vulnerabilities of which the vendor becomes aware for the duration of the contract;
- Provide software and firmware updates that would “fix or remove any future security vulnerability or defect in any part of the software or firmware” in a device;
- Repair or replace the device when a new vulnerability cannot be remedied through an update; and
- Provide the purchasing agency with basic security support-related information, including an anticipated timeline for the duration of security support and a formal notice of ending of security support.
Other provisions provide some flexibility in the standards that would be set. For instance, executive agencies could use alternative security standards or selection processes that provide “equivalent or greater level security” than those promulgated by OMB. These alternative standards and processes could be developed by third parties or be agency-created. In either event, the National Institute of Standards and Technology must certify that the standards or processes provide “appropriate security.”
Critics will home in on a number of aspects of the bill’s approach. First, despite the potentially broad effect of imposing basic cybersecurity standards on products offered to the government, some will say this is but a drop in the IoT ocean, and one not worth the cost. There are many items the government does not buy (at least one hopes it does not buy), and there are huge markets for cheap and vulnerable devices around the world, each of which is part of the IoT threat in the United States. But it is time to stop complaining about the uselessness of incremental steps to improve cybersecurity. Legislation is usually about incremental improvement, particularly in complex areas, and a requirement that legislation comprehensively “fix” cybersecurity in order to be enacted admires the cybersecurity problem instead of ameliorating it.
Second, there are a number of exceptions to requiring the clauses, and care must be taken that they don’t end up swallowing the potential benefits. For instance, an agency head can waive the “no known vulnerabilities” clause at the request of a vendor that discloses a known vulnerability to the agency and provides “mitigation actions that may limit or eliminate the ability for an adversary to exploit the vulnerability.” If the head of the purchasing agency grants the waiver, she or he must also acknowledge in writing that the “executive agency accepts such risks resulting from use of the device with the known vulnerability as represented by the contractor.”
A request for this sort of waiver could be very common, particularly at the outset of the new contractual regime, because it is not uncommon for software and firmware builders to utilize libraries with known vulnerabilities. Since the vendor’s proposed mitigation actions only “may” limit or eliminate the vulnerability, it would be best if these waivers were scarce. Security in these instances will turn on the personal reluctance of an agency head to sign off on a purchase that could turn out be part of a cyberdisaster.
Agencies also will be able to ask the OMB director for a waiver of all the contractual clauses if they “reasonably believe” that it would be “unfeasible or economically impracticable” to demand the clauses in a contract for “an Internet-connected device with limited data processing and software functionality.” This, too, has potentially broad sweep because many IoT devices are sensors of one sort or another and easily could fall into this “device too dumb” category. But the legislation would require the OMB director to work with the National Institute of Standards and Technology to develop a “set of conditions” for these non-compliant devices that assures they “can be used” with an appropriate level of security, conditions that must be met before an agency can buy the device.
The legislation’s other aim is the creation of a “coordinated disclosure program” for vulnerabilities associated with internet-connected devices used by the federal government. This program would have two parts. First, the National Protection and Programs Directorate (NPPD) in the Department of Homeland Security must “in consultation with cybersecurity researchers and private-sector industry experts” issue guidelines for “conducting research on the cybersecurity of an Internet-connected device.” Based on ISO 29147, the guidelines would require vendors to adopt procedures for accepting information about vulnerabilities and for disclosing those vulnerabilities.
The real meat of the program, however, lies in the second part of the bill. The legislation would amend both the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act in order to provide more room for “researchers” to investigate vulnerabilities. The bill provides a safe harbor to the liability provisions of the CFAA for vulnerability researchers “acting in good faith” and “in compliance” with the NPPD guidelines as adopted by a government vendor. Similar safe harbors are added to the private civil and criminal enforcement provisions of the Digital Millennium Copyright Act.
Both the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act have long been criticized by academics and the white-hat hacker community as improperly limiting security research and unreasonably favoring the financial and reputational interests of corporations and rights holders. Sen. Wyden has long been critical of prosecutions under the Computer Fraud and Abuse Act and in 2013 introduced a series of amendments as part of “Aaron’s Law” in the wake of Aaron Swartz’s suicide as he awaited trial for an alleged CFAA violation. Inclusion of these safe harbors no doubt accounts, at least in part, for the support a variety of academic and tech-left groups immediately announced for the Senate legislation.
Of course, one man’s heroic researcher is another’s reviled hacker, and significant work will be required to ensure that the national guidelines encourage research that is translated into product improvements. Most important, the guidelines must include some set of requirements for researchers as well as vendors to further a climate of cooperation between the two communities.
The legislation itself provides little guidance on what the researcher requirements might be. ISO 29147—which is specifically cited as the guideline model—provides standards only for how vendors receive information about potential vulnerabilities and then disseminate information resolving those vulnerabilities. ISO 29147 says nothing about the behavior of those finding the vulnerability.
Two other provisions add only a little to the picture. Both safe harbors require the researcher to be “acting in good faith,” a requirement that no doubt will generate a good deal of brief-writing. And the research at issue must be conducted on the “same class, model, or type of the device” the government buys and “not on the actual device provided to the United States Government.” This latter provision would seem to exclude hacking the government to research vulnerabilities, but not exclude hacking other parties using the same class, model, or type of device the government purchases.
The bill’s focus on government purchasing power—along with its proposed safe harbors—is well designed to minimize effective legislative opposition. We are at the beginning of the process, and while experts will offer improvements (see Nicholas Weaver’s Lawfare post) we should avoid extras that promote controversy. Even modest cyber bills take an inordinate amount of time and energy to pass. The absurd ruckus over the Cybersecurity Information Sharing Act is a case in point. The best outcome would be quick congressional review and approval of the Internet of Things Cybersecurity Improvements Act, beginning the process of improving the basic security of internet-connected devices, and moving on to the next incremental piece of positive cybersecurity legislation.