September 24, 2018

September 24, 2018

Subscribe to Latest Legal News and Analysis

September 21, 2018

Subscribe to Latest Legal News and Analysis

Trump Administration Botnet Report Will Impact IoT Device Makers – Things You Should Know

Manufacturers of wireless devices used for Internet of Things (IoT) applications should take heed of new Trump Administration proposals aimed at reducing the cybersecurity threats from botnets and other automated and distributed attacks.

Following a year of public and internal discussions and inquiry, the Department of Commerce and Department of Homeland Security (DHS) recently issued a Final Report on the topic, “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.” The Report arises from the cybersecurity Executive Order issued by President Trump in May 2017, which required Commerce and DHS to lead a process to determine appropriate action to “dramatically reduc[e] threats perpetrated by automated and distributed attacks (e.g., botnets).”

The Report puts considerable pressure on device makers and software providers to make concrete progress in improving the security of IoT devices and software. Indeed, its first recommended action is the establishment of broadly accepted security baseline capabilities for IoT devices in home and industrial applications. The Report states unequivocally that vendors must not ship devices with known security flaws, incorporate a secure update mechanism into their products, and follow current best practices (including no hard-coded passwords) for system configuration and administration. Future products need to enhance the reliability and integrity of authentication processes by leveraging hardware roots of trust and other trusted execution technologies, which will require significant steps forward in education and awareness for product developers.

The Report sets out six themes related to cyber threats and the IoT ecosystem:

  1. Automated, distributed attacks are a global problem;
  2. Effective tools exist, but are not widely used;
  3. Products should be secured during all stages of the lifecycle;
  4. Awareness and education are needed;
  5. Market incentives should be more effectively aligned; and
  6. Automated, distributed attacks are an ecosystem-wide challenge.

The Report then identifies five principal goals aimed at dramatically reducing threats toward the IoT ecosystem:

  1. Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace;
  2. Promote innovation in the infrastructure for dynamic adaptation to evolving threats;
  3. Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks;
  4. Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world.; and
  5. Increase awareness and education across the ecosystem.

From these themes and goals, the Report recommended twenty-four actions to be taken by stakeholders – government, industry, and others – the most relevant of which for device manufacturers are outlined below.

Action 1.1. Using industry-led inclusive processes, establish internationally applicable capability baselines for IoT devices supporting lifecycle security for home and industrial applications founded on voluntary, industry-driven international standards. The rapid deployment of insecure IoT devices “has had the pernicious side effect of enabling cost-effective development of extremely large and widely distributed botnets.” Because of the exponential increase in IoT devices, the Internet and communications ecosystem must move away from reactive botnet mitigation activities and embrace a proactive and focused approach aimed at reducing known vulnerabilities of Internet-connected devices throughout the lifecycle. The Report calls for the development of industry-led performance-based security baselines covering the entire lifecycle of IoT devices, based upon voluntary standards, specifications, and security mechanisms.

Action 1.2. The federal government should leverage industry-developed capability baselines, where appropriate, in establishing capability baselines for IoT devices in U.S. government environments to meet federal security requirements, promote adoption of industry-led baselines, and accelerate international standardization. The Report recommends that the federal government use its procurement authority to encourage the development of more secure devices. It suggests that federal procurement guidelines be used to “amplify the market signal by requiring the capabilities in the baseline(s)” and to conform to private sector labeling (see Actions 5.1 and 5.2 below). It also directs the National Institute of Standards and Technology (NIST) to pinpoint minimum requirements for federal IoT devices and systems, determine the suitability of existing consensus industry baselines for federal users, create federal standards, and find industry partners that can help expedite the development of additional necessary baselines.

Action 1.3. Software development tools and processes to significantly reduce the incidence of security vulnerabilities in commercial-off-the-shelf software must be more widely adopted by industry. The federal government should collaborate with industry to encourage further enhancement and application of these practices and to improve marketplace adoption and accountability.Software developers should “significantly reduce the incidence of security vulnerabilities in commercial-off-the-shelf software” through wider adoption of development tools and processes to reduce the number of vulnerabilities, increase the detection of security flaws before product deployment, and limit meaningful exploitation of any vulnerabilities that could arise. The Report recommends that the federal government support industry adoption of secure coding tools to avoid security vulnerabilities created by common software bugs and take steps to promote secure software development. It also tasks the Commerce’s National Telecommunications and Information Administration (NTIA), which has previously led a multi-stakeholder process on software patching and upgrading for IoT devices, to lead an effort aimed at fostering greater software component transparency.

Action 3.2. Home IT and IoT products should be easy to understand and simple to use securely. This item recommends that industry “prioritize simple and straightforward deployment and configuration processes for devices marketed to home and small businesses,” such as forced updates to administrative passwords at installation, secure and intuitive default configurations, and automatic or easily managed installation of security patches.

 Action 4.3. Sector-specific regulatory agencies, where relevant, should work with industry to ensure non-deceptive marketing and foster appropriate sector-specific security considerations. While acknowledging the limits of one-size-fits-all rules, the Report suggests that sector-specific regulatory agencies can promote ecosystem resilience by working with industry to ensure that the security of the products deployed is appropriate for the products’ use.

Action 5.1. The private sector should establish and administer voluntary informational tools for home IoT devices, supported by a scalable and cost-effective assessment process, that consumers can trust and intuitively understand. The action item recommends industry development, through a multi-stakeholder process convened by the federal government, of effective assessment and labelling of home IoT device security capabilities that may allow consumers to “make informed choices.” While it largely emphasizes industry-led efforts, it also suggests that agencies such as the Federal Trade Commission could have a role, through investigating deceptive marketing claims regarding security capabilities. (A separate item focuses on a public awareness campaign, established by the federal government, to promote understanding of home IoT device security baselines and branding.)

Action 5.2. The private sector should establish voluntary labeling schemes for industrial IoT applications, supported by a scalable and cost-effective assessment process, to offer sufficient assurance for critical infrastructure applications of IoT. The Report suggests that manufacturers of industrial IoT devices and applications should make efforts beyond the voluntary actions suggested for consumer devices in Action 5.1, to possibly to include establishing an evaluation process and an evaluated products list.

****

Next StepsThe Report envisions the development of a prioritized “roadmap” to coordinate the timing and management of efforts to implement its recommendations. Commerce and DHS, “in coordination with industry, civil society, and in consultation with international partners, will develop an initial road map with prioritized actions within 120 days after approval of this report.” The Report highlights recommendations regarding the establishment of IoT device security baselines and the promotion of effective software development tools as likely priority items.

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Chris Harvie, Communication Attorney, FCC, Mintz Levin Law Firm
Member

Chris focuses chiefly on legal, policy, and legislative issues affecting cable and telecommunications companies. He has represented clients in proceedings before the Federal Communications Commission, Congress, federal and state courts, and state and local regulatory bodies.

202.434.7377
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.

617-348-1732
Laura Stefani, Mintz Levin Law Firm, Washington DC, Technology Law Attorney
Of Counsel

Laura focuses her practice on the telecommunications and technology industries. She provides strategic, legal and policy advice to manufacturers, communications network operators and other clients on spectrum allocation and licensing matters, with a focus on bringing new technologies to market. Laura has experience with unlicensed and licensed wireless technologies, unmanned aircraft, the satellite industry, and the Internet of Things.

Before joining Mintz Levin, Laura was a partner at a DC-area firm that serves technology, telecommunications,...

202-434-7387