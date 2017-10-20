from the anything-would-be-an-improvement dept.
In September, the House of Representatives passed a bill requiring that all internet of things (IoT) devices purchased by the government meet minimum security requirements.
H.R. 1668 has the potential to improve the security of the IoT for two high-level reasons. Any activity that places cybersecurity front and center of IoT conversations is a good thing. This bill could and should create demand for higher quality devices, which incentivizes the supply chain to build platforms. This is different from other (market "push") security initiatives and standards such as Arm's Platform Security Architecture, in which it is a technology company proposing something. Here it is an end customer stipulating requirement that creates market "pull."
The bill also outlines key themes that should be addressed rather than getting caught up in specific technologies.
That said, I think some elements of this show where the U.S. government may have some challenges. There are three elements we feel could do with improvement here:
- No device can be regarded as 100% secure. Software has to provide earlier recognition that a device has been compromised. We have seen that in the enterprise arena; hacks can remain hidden for months, such as in the Citrix case in which hackers laid dormant for five months. The bill's section 4, subsection 2, should be a separate section that discusses this set of system capabilities. Maybe it is contemplated and articulated under "patching" or "secure development," but it is important enough to be called out separately.
- The publishing guidelines in another section (Section 4, C I) are set for five years. This is simply too slow. This industry is far more dynamic and will need a cadence far quicker than this.
- I believe in applying different (tiered) levels of security based on the device's use case and the value of the data that could be exposed. The concern here is that there will be some applications that need absolute bulletproof security. There will be other things (simple sensors) for which less security is required—doing a one-size-fits-all approach risks making systems too costly, too power-hungry etc.
The link in the summary goes to a site which is notoriously pro-M$ and anti-GNU/Linux, and anti-FOSS in general. No wonder they are touting the bill. Without meaningful access to the products' source code, the bill will just result in additional, unproductive (or counter-productive) red tape helping the largest vendors raise further barriers to entry for more markets. Not only is the source code not mentioned even once in the bill you can tell by the bill's backers that this is a stinker.
The lobbyists [opensecrets.org] pushing H. R. 1668 [congress.gov] include M$ own Business Software Alliance, which acts as one of their marketing arms. The others are not very noble either, such as SAP, Verizon, Intel, and ISACA.
Unlike what's in H. R. 1668, I would say Dan Greer's suggestion to hold software manufacturers liable within limit for faulty software [threatpost.com] has merits. In particular, his proposal has carve outs for Free and Open Source Software, because as was shown in Ken Thompson's Reflections on trusting trust [acm.org] was that full access to read and modify the source code is a prerequisite for securing a system. In general, Greer points out what makes an incentive for manufacturers to patch and gives end customers the freedom to patch or hire others to patch.
Money is not free speech. Elections should not be auctions.
It would have helped more if I had actually spelled Gan Geer [tinho.net]'s name correctly.
