Title | The Good and Not So Good of the IoT Cybersecurity Improvement Act of 2020 | |
Date | Sunday October 18 2020, @07:06AM | |
Author | Fnord666 | |
Topic | ||
from the anything-would-be-an-improvement dept. |
The Good and Not So Good of the IoT Cybersecurity Improvement Act of 2020 - Security Boulevard:
In September, the House of Representatives passed a bill requiring that all internet of things (IoT) devices purchased by the government meet minimum security requirements.
H.R. 1668 has the potential to improve the security of the IoT for two high-level reasons. Any activity that places cybersecurity front and center of IoT conversations is a good thing. This bill could and should create demand for higher quality devices, which incentivizes the supply chain to build platforms. This is different from other (market "push") security initiatives and standards such as Arm's Platform Security Architecture, in which it is a technology company proposing something. Here it is an end customer stipulating requirement that creates market "pull."
The bill also outlines key themes that should be addressed rather than getting caught up in specific technologies.
That said, I think some elements of this show where the U.S. government may have some challenges. There are three elements we feel could do with improvement here:
- No device can be regarded as 100% secure. Software has to provide earlier recognition that a device has been compromised. We have seen that in the enterprise arena; hacks can remain hidden for months, such as in the Citrix case in which hackers laid dormant for five months. The bill's section 4, subsection 2, should be a separate section that discusses this set of system capabilities. Maybe it is contemplated and articulated under "patching" or "secure development," but it is important enough to be called out separately.
- The publishing guidelines in another section (Section 4, C I) are set for five years. This is simply too slow. This industry is far more dynamic and will need a cadence far quicker than this.
- I believe in applying different (tiered) levels of security based on the device's use case and the value of the data that could be exposed. The concern here is that there will be some applications that need absolute bulletproof security. There will be other things (simple sensors) for which less security is required—doing a one-size-fits-all approach risks making systems too costly, too power-hungry etc.
Links |
printed from SoylentNews, The Good and Not So Good of the IoT Cybersecurity Improvement Act of 2020 on 2024-04-30 10:12:34