Blog
Is legislation key to security in IoT?
(ISC)² Community weighs in on Cyber Shield Act of 2017
Senator Ed Markey (D-Mass) has long been concerned about securing new technology as it bleeds into our everyday lives. In 2015, Sen. Markey, a member of the Commerce, Science and Transportation Committee, released the report, Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk .
Since then, smart cars have made frequent headlines, which has had the residual effect of bringing securing connecting cars to front of mind for the auto industry.
We posed the question, “What do you think?” to members of the (ISC)² Community , and received a wide range of opinions on whether industry experts think the legislation will make a difference.
If the goal with the newly proposed Cyber Shield Act of 2017 , backed by Sen. Markey and Rep. Ted Lieu (D-Calif.) in the House, is to broach the discussion and bring something to the table that raises awareness, the conversation has started.
Calling all volunteers
In this voluntary program, device manufacturers can opt to have the Department of Commerce certify that their products have met the benchmarks for strong cybersecurity.
One stand out issue is that the legislation calls for a voluntary program, which raises the question, “If we are certifying products, what happens when a vulnerability is discovered in a product that was previously certified?”
Following that thought process, it’s important to think about the responsibility of maintenance. If we anticipate certifying the more than 50 billion IoT devices by 2020, there has to a plan for when those devices fall out of certification, particularly given the security risks inherent in abandoned devices.
Certifications without substance
Heightened concerns in the wake of global ransomware attacks have given rise to debates over the security of the IoT. As the threat landscape grows, the risks increase, which has everyone from business leaders to government officials concerned for the impact on the public and private sectors.
Further to that point, there is the reality that “Device and product standards tend to be ‘snapshot’ certifications.” Certainly a certification process sets some standard, but members of our community question whether the legislation will do enough.
“The IoT will also stand for the Internet of Threats unless we put in place appropriate cybersecurity safeguards,” Markey said. A statement that could potentially be true but may also be overreaching.
Is the arm of the law too long?
Beyond the efficiency of the proposed legislation is the question of whether the government should have this level of oversight.
That is not an easy question to answer, particularly when looking at the language of the act. The certification, “Shall promote technologies that are compliant with the cybersecurity and data security benchmarks established by the Secretary as the preferred technologies in the marketplace for.”
Granting the U.S. government the power to promote private products is, according to one community member, “A fuzzy line that will likely be tested in court.”
Our Community continues to engage in these important conversations. Maybe the ‘Cyber Shield Act 2017’ is an effort to circumvent that outcome.