Tue, May 19, 2020

Seven perspectives on securing the global IoT supply chain

New Atlanticist by Trey Herr

Cybersecurity Internet Internet of Things

Google Home smart speakers, which respond to consumer's voice commands to control devices in the home or to answer questions out loud about topics including the weather, news or local services, in shown in San Francisco, California, U.S., March 28, 2019. Picture taken March 28, 2019. REUTERS/Dave Paresh

The Internet of Things (IoT) refers to the increasing convergence of the physical and digital worlds. Hundreds of “things” are being connected to the internet and each other, with more than fifty billion devices expected to be connected by 2030. These devices vary from internet-connected power-generation equipment to wearable health trackers and smart home appliances, and generally offer some combination of new functionality, greater convenience, or cost savings to users.

As with all benefits, IoT also comes with serious risks, with impacts ranging from individual consumer safety to national security. Cybersecurity is now a relevant concern for even the most mundane household objects. Many IoT devices are manufactured abroad and many of these are extremely low cost with little consideration made for security. There is nothing inherently untrustworthy or insecure about foreign manufacturing, and individual firm and product lines are much more fruitful levels of analysis in establishing good security practices from bad. Importantly however—the United States has limited means to enforce its standards in foreign jurisdictions, like China, where the bulk of IoT products are manufactured.

We asked IoT experts seven question about securing the global IoT supply chain:

Question 1: What kinds of harm can IoT really bring to users? Others?

Bruce Schneier, adjunct lecturer in Public Policy, Harvard University’s John F. Kennedy School of Government:

“The IoT gives computers the ability to directly affect the physical world: toys, small and large appliances, home thermostats, medical devices, cars, traffic signals, power plants. This transfers the traditional computer risks to these devices. Hacked thermostats can cause property damage. Hacked power generators can cause blackouts. Hacked cars, traffic signals, and medical devices can result in death. To date, most of these vulnerabilities have been demonstrated by researchers. But we have seen examples by both criminals and governments, and there is no reason to expect the trends to suddenly reverse.”

Question 2: Nearly everything is made at least in part by a foreign manufacturer. What makes IoT devices special?

Josh Corman, founder, I Am the Cavalry (dot org); former director, Cyber Statecraft Initiative:

“When compared to their Enterprise IT counterparts, IoT devices often prove quite challenging to securely design, develop, and operate. Available “best practices” for cybersecurity carry heavy biases and assumptions across at least six dimensions: consequences of failure, adversaries, device composition, economics, operational context, and time scales. Where smaller, cheaper devices may lack adequate processing power, margins, and the benefit of layered defenses and security teams, they may encounter elevated risks to safety, face a wider swath of accidents and adversaries, and for longer lifecycles than is sound. This framework of six differences for IoT is explored in more detail by “I Am The Cavalry.”

“Further, many of the nascent IoT supply chains lack the mature, traceable, auditable processes required for higher assurance dependence—leaving them more prone to avoidable harms (accidental or otherwise).”

Question 3: Who has the greatest potential (or power) to play a positive role in IoT security (markets, governments, or international organizations)?

Nate Kim, MPP candidate, Harvard University’s John F. Kennedy School of Government

“One of the biggest factors underlying the problem of IoT security is economics: IoT suppliers and manufacturers haven’t been building security into their products because it’s cheaper and because consumers haven’t been demanding it. To me, this suggests that the market alone cannot deliver significant improvements for IoT security—we need interventions that change the cost calculus for IoT manufacturers or amplify the demand signal from consumers (e.g. increasing consumer awareness to alleviate information asymmetry concerns). At the end of the day, these interventions will have to be administered by the government.

“The government therefore has the greatest potential to make a difference in IoT security because of its authority to pass and enforce policies that can increase the cost of bad security to IoT suppliers. These policies can include strict security standards for connected devices, or liability schemes that hold manufacturers accountable for harms resulting from poor security in their products. If executed well, such policies can allow consumers to gain all the benefits of using connected products without also putting them at risk of serious harms that arise from an unsecure Internet of Things.

“International organizations will have an important role to play as well, especially in the context of increasingly globalized markets and supply chains of the 21st century. The connectedness of the internet makes IoT security very much a global problem. Even if the United States manages to enforce strong security in its national IoT ecosystem, vulnerabilities in IoT systems outside the United States can still be exploited to pose threats against US consumers and critical infrastructure. IoT products are also largely made outside of the United States, which means that the United States must collaborate with other governments in enforcing the rules and standards of digital security. Multinational cooperation through international platforms will be essential to improving IoT security everywhere.”

Question 4: Labeling has been discussed as a way to enforce best practices and inform consumers about the products they buy across a range of different fields. What makes labeling most tricky?

Robert Morgus, director, research & analysis, US Cyberspace Solarium Commission

“The purpose of labeling is to provide the consumer or purchaser with better information on the product they are purchasing. This presents two specific hurdles in the context of cybersecurity and information technology devices. The first challenge lies in identifying the most relevant security information to present on a label. Is information about the security features of the product itself relevant (ie. that each item sold has a unique default password)? Or are should we be more concerned about the process by which the product was developed (ie. its codebase and whether the constructor adhered to good practices in secure coding)?

“Both are likely relevant to the consumer but are difficult to present in a clear and coherent way, leading to the second major challenge: presenting the label information in a manner that is meaningful to the consumer. If the goal of labeling is to enable consumers to demand better security through their purchases, the information presented on labels must be easily understandable for the purchaser. Simply listing the sources of code—components, development frameworks, libraries, and so on—is unlikely to be actionable information for most. Building a productive labeling schema will require expert and consumer input to help design symbols and shortcuts for average consumers in the form of security scores or consumer-facing certifications with tiers.”

Question 5: What would Congress need to do for the Federal Trade Commission to be able to enforce security standards on a distributor like Amazon?

Jessica Rich, distinguished fellow, Institute for Tech Law and Policy, Georgetown Law; former director, Bureau of Consumer Protection, Federal Trade Commission

“Under current law, distributors can be liable for selling products in ways that violate the FTC Act’s prohibition against “unfair or deceptive” practices. For example, in several cases against home shopping network QVC, the FTC charged the company with making false claims about products that had been manufactured by other companies. The FTC also has held catalog companies liable for their role in disseminating false claims about products sold on behalf of others. Further, Amazon itself has settled FTC charges that it made false claims that products sold on its website were “bamboo” when they were in fact made of rayon.

“However, absent some sort of agency relationship between a manufacturer and a distributor, the liability of a distributor generally depends on the role it plays in committing a law violation. In the above cases, the distributors themselves engaged in conduct that allegedly violated the law—for example, formulating or disseminating their own misleading claims or marketing strategy—and the FTC was required to develop extensive proof of such conduct. In other words, the law does not generally allow the FTC to hold an independent distributor strictly liable for selling a faulty product, or for failing to undertake the screening of products for defects or safety. Adding to the challenge, the Communications Decency Act (CDA), passed in 1990s and interpreted expansively, confers some immunity on “interactive computer services” (arguably Amazon, Google, and Facebook) that merely repeat the speech of others.

“For these reasons, if the goal is to hold a distributor like Amazon responsible for the security of any products it sells—automatically, and without regard to the role it plays in creating or promoting the product—Congress would need to pass a law specifically creating such liability and amending or superseding portions of the CDA. The political and practical obstacles to doing so would be significant.”

Question 6: Between the European Union and the United States, who has set a better example on how to enforce IoT security standards on foreign manufacturers?

Beau Woods, cyber safety innovation fellow, Cyber Statecraft Initiative; founder and CEO, Stratigos Security

“There are not a lot of laws around IoT, much less enforcement. The United Kingdom’s plan is to restrict sale and import of devices without their top three, but they haven’t yet put that into action. I remember Germany banned a doll named My Friend Cayla that had security issues. California’s IoT law is in force, though I don’t know if there have been any enforcement actions around it.

“Regarding the broader set of operational technology devices, I’d say the Food and Drug Administration leads and no one else is close.”

Question 7: What’s the most important effort on IoT security we’ve never heard of?

Benedikt Abendroth, senior security program manager, Azure Sphere, Microsoft

“One challenge is the notion that not every connected device should be protected with the highest levels of security. Even a very mundane device, such as a child’s toy, a household appliance, or even a connected cactus watering sensor can pose risks when they are compromised over the internet. A toy can spy or deceive, a household device can be destroyed, and a watering sensor can launch a denial-of-service attack. Taking that into account, second-best solutions are not enough. In 2017, Microsoft introduced a new standard for IoT security in the white paper “The Seven Properties of Highly Secured Devices,” which demonstrates that it is possible to engineer all connected devices, even those that are price-sensitive, to be trustworthy even in the face of determined attackers.”

Trey Herr, PhD, is director of the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security.

Further reading: