More than 100 tech and cybersecurity entities are calling for governments and industry to move towards universal standards for baseline security when it comes to Internet of Things devices.
In a letter released Thursday, 104 different organizations – ranging from private companies like Google, Microsoft and Deloitte to non-profits like Consumer Reports, the Center for Internet Security, and the Cyber Threat Alliance – said there is a “global consensus” forming around the need for IoT security standards that must be addressed through a mix of government regulation and voluntary private sector action.
In particular, the groups highlight five security capabilities that all connected devices should share, including regular software updates, no default passwords, a vulnerability disclosure policy for the product for manufacturer, data security and secure communications, that should be universal. These five capabilities are already in more than 100 security and privacy standards around the world, and further adoption could help dramatically reshape the notoriously shoddy and largely unregulated IoT security landscape.
“While all stakeholders – manufacturers, distributors, vendors, regulators, even consumers themselves – have respective roles to play in the safe development, deployment and use of IoT products, device security requires manufacturers and vendors who place devices on the market to adhere to best practices to ensure products are designed with security in mind,” the group writes. “With connected devices today having supply chains that reach around the world, establishing a recognized global baseline for consumer IoT security is a critical step toward a more resilient and trusted digital future.”
One of the most challenging aspects of regulating this area is that “IoT” is essentially a catch-all term for a wide range of products and devices, many of which have different levels of technological maturity and sophistication. The software powering a smart fridge or Alexa device is exponentially more complex and trickier to secure than a low-grade light or power sensor, yet all can and are regularly captured under the current definition.
That makes it difficult to develop standards that would be relevant to the security problems posed by products and systems on the higher end of the scale while still being practical for manufacturers at the lower end. Even defining what an IoT device is and what it is not can be difficult. The groups acknowledge that this will not be a smooth or easy process, and pledge to continue working through international bodies like the World Economic Forum to develop additional guidance and throw their consensus support behind emerging standards.
“Those of us endorsing this statement come from across stakeholder groups, including members of industry at various stages of adopting these best practices,” the organizations wrote. “We recognize that implementing these capabilities poses different challenges to manufacturers and vendors around the world. We also recognize the broad range of stakeholder activity relevant to this work.”
The 2020 Internet of Things Cybersecurity Improvement Act – the first major piece of IoT legislation passed in the United States – defines it at as a device with at least one sensor or actuator that interacts with the physical world, a network interface and the ability to operate independently, not just as part of a larger system or network. It put the National Institute for Standards and Technology in charge of developing more in-depth security standards and acquisition rules that the federal government must adhere to and mandated things like vulnerability disclosure policies.
However, that law only governs the federal civilian government and businesses that sell to the government and doesn’t seek to regulate the broader private market that manufacture billions of such devices every year. Even within this more narrow scope, some of the same problems emerge when trying to develop standardized rules. As professional services firm PriceWaterhouseCoopers put it when describing the law’s challenges:
“To use traditional controls such as encryption requires increasing the load on limited system bandwidth, and using public key infrastructures would mean having to update certificates regularly. Adding hardware security modules (HSMs) to the products would make them more expensive. Moreover, tracking the authenticity and integrity of IoT components is difficult because the supply chain is so complex — so difficult that a reliable mechanism for checking integrity has yet to be invented.”