The Internet of Things Cybersecurity Improvement Act of 2017 is proposed legislation intending to require basic best-practices for cybersecurity when the government is looking to purchase products. It imposes certain design requirements and capabilities to enhance overall security.
It includes nontrivial vendor constraints things like:
- Vendors cannot release products with known vulnerabilities.
- Systems must be architected so they can be patched in the future when new vulnerabilities are discovered.
- Designs are prohibited from embedding fixed passwords that cannot be reset or changed.
Sadly, these are basic, yet not being consistently followed by the Internet-of-Thing (IoT) manufacturing industry. It saddens me that we must resort to legislation to enforce common sense cybersecurity practices. In my opinion, the technology industry has an ethical and business responsibility to provide customers with at least rudimentary capabilities to support security, privacy, and safety.
This legislation, if approved, will put limitations on what systems the U.S. government can consider procuring. Therefore, vendors who want such customers will need to be more responsible when it comes to designing in security to their products.
Recently the U.S. Army has ordered troops to stop using drones made by a major Chinese manufacturer, citing cyber vulnerabilities.
I support good security practices but in general feel legislation is a poor safety-net to make them commonplace. It shouldn’t be necessary. Sadly, I recognize that when the industry ignores the basics, market customers such as governments, may be forced to set their own standards for purchases.
I expect other governments and sectors like finance, healthcare, and critical infrastructure to also incorporate these guidelines in their procurement requirements. If other markets follow suit, it may be a harsh wake-up call for IoT vendors that security is as important as quality.
Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Steemit to hear insights and what is going on in cybersecurity.
It sounds basic , like you mentioned, but at least its a start. It's unfortunate that we can not be proactive and try to get ahead of the game.
its kinda of crazy to think that someone can get into your phone and screw everything up...or any device that connects to the intro net :0
At least there is something to help encourage manufacturers that focus a little bit more on security.
.
.
.
̴̢̩̲̝̟͚̥͕͈̺̼͇̇̂ͣͩͮͥ͐́͜͟C̶͙͙̳̰ͤ̇̐̄̌͐͘͢ͅ-̬̭̺͇̮͓̜̦͙͖̟͕̫̬̜͎̜̦ͥ̒̌͒͂̈́͊ͣͯ͑̉̎ͧ̿͂͞͞L̷̛̞̠̦͍͉̤̼̙̻̘̞̘͖̜̲̓͆̏̏̇͐ͬ͐̑ͪ͗͜͞o͎̮̩̲̺͇̹̲̬̙̼͕̟̻̱ͮ̓͆̿̐̊̀͋ͭͣͪ̋ͤ̉̉̐͑̀͞ͅo̢̡̞̪̤͖̦̱̫̞̼̞̒̀̐̎̕͟͝k̓ͫ͊̅ͪ͛̎͌͛̚̚͟͏̨̛̤̙͔̲̗̬̗̤̪̠͔̟̥͓͚̟̜͖͜ͅ-̶͂̿ͯ̚̚̕͘҉̫͈̮̘͓̘̘Ą̩̲̬̰͍̬̫̱͙̼̤̣͎̭̓ͨ̉͊ͫ̽́ͬ̌̾̊̈̔͗̿̚̕ͅt̓ͩͣ̌ͧͥ̽͂ͪ̏̑͊҉͏̣͔̱͙̥͎̠̺̗͎̖̭͍̖͘-̡̧̬͕̯͖̼̹̙̠̦͉̝̳̖͓͈͚̾̊̑̓͂̍̅͗ͤͮ̑͘͝ͅM̷̡̥̮̗̲̩̰͍͔͈̜͂͗ͫ̀̎̍ͯ́̎̅ͮ̿̔͐̿ͯ̃̀̚̚͢ͅy̍ͩ̿̓̑ͫ̉̂͛ͨͬ̚͏̶͎͈̪̫͓̞̙̖̯͖͖͔͉ͅ-̂̑̾́̓̌̿̎̍͗͛̈́̃ͩ̓̀́̚̚͏͇͎̱̜̲͉P̶̡̲̤͕̖͓̯̯̜͒̃̌ͫ́ͭ͘͞į̦͓̟̪͍̰̳̼̫̤̀̄ͦ̂̅̓̀ͥ̈́̑͜c̢̡̨̛̝̱̗͚̠̲̱͓̦̘͚̞̹̥̭̞͙̎͗͊ͫͩ͗̒ͬ͋̀ͦͬ͌̌͗́ͩ̂ ̨̨͙̗̜̪̠̲̌͑̓̉͘͞͞W̴̸̴̠̘͖͍̞̘̯͈͚̗̣̭̮̺̞͚͙̅̈ͯͮ́͢ͅͅả̸̞͍͔̩̪̻̹͕̦͕̠̅́͒ͤ̈ͣͬ̾̈̆ͪ͛̿̍ͫ͑̈́̚s͖̫͖͎̾ͥ̓͐ͨ͐̒ͬͫ͋ͥͪͯ̆͋̅̀̕͝͝ ̵̡̰̻̠̗̙̬̥̠͙̙̹̝̼̠̖͐̓̂̅̽ͭ͢͜ͅH̨̰̞͙͙̟̥ͤͫ̈́ͣͥͧͤͯ̌ͦ̍͘ȩ̣̗͔̺͈͓̮͒͛͌͛́ͥ̾̊͐̐̃͋͘͜͞ͅr̫̱̙͒͌̓͐ͯͨ̿̑ͩͧͧ͘͟͜͠ͅe̗̼͕̼̺͎̤͙̻̔̾̑͑̓ͭ̀͑̑̈͌̉́
.
.
I hope it is a wake-up-call for the industry. They need to proactively address security.
"Designs are prohibited from embedding fixed passwords that cannot be reset or changed." Is this implying that the Steemit password architecture is not a secure one?
No. There are a number of security features embedded into Steemit, including the ability to change passwords. :)
IOT have a long way to go before they are safe.
I guess Internet of things are already secured. But i hope with the advent of government involvement it will become more secured.