Government Activism and IoT

Government Activism and IoT

Posted on Posted in Cyber Security, Embedded Software

The Mirai Botnet Distributed Denial of Service (DDoS) attack of September and October 2016 gave a brief glimpse of the effect Internet of Things (IoT) devices can have on the greater Internet.  This event was especially felt in Washington, D.C. where there seems to be an uptick in the amount of Government activism and IoT and the frequency and scale of intervention with IoT device manufacturers.  The following are just a few examples:

  • On December 30, 2016 the Congressional Internet of Things Working Group released a white paper on IoT stating that, “Recent examples of cyberattacks on IoT devices have exposed not just the potential impact on individual consumers, but the possible vulnerability on the broader Internet infrastructure.”
  • On January 5, 2017 the Federal Trade Commission issued a complaint against D-Link claiming that D-Link’s “routers and cameras have been vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access.”
  • On January 9, 2017 the Federal Drug Administration released a note about St. Jude Medical stating that its devices had vulnerabilities that, “if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device.”
  • On January 12, 2017 the Department of Commerce released a Green Paper highlighting the security concerns around IoT. It states that the DDoS attack, “was the most visible and far-reaching example of the potential risks that must be mitigated when considering IoT.”

It appears that this the beginning of an activist approach taken by the Government to monitor IoT device manufacturers.  Indeed, the Congressional Internet of Things Working Group white paper states that participants, “grappled with whether or not a solution should rely on industry established standards, agency recommendations, legislation, or a combination of all the above.”

TELEGRID is a designer of secure embedded systems for the US Military and has developed a framework to design systems in line with DISA’s Security Technical Implementation Guides (DISA STIGs).  While some commercial manufacturers follow NIST guidelines others ignore security completely.  As Senator Mark Warner, co-founder of the Senate Cybersecurity Caucus stated, “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support.”

Is the Government going to “incentivize” commercial manufacturers to bake in security?  Will the Government shut certain companies out of the market for selling unsecure IoT devices?  What will be the cost impact to consumers?

These are all very tough questions and it seems the Government is moving quickly to try to answer them.  Are IoT manufacturers paying attention?

 

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, Multi-Factor Authentication (MFA).

 

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.