IoT Seen Posing Many Cybersecurity Concerns; Solutions Hazy
The coming boom in connected IoT devices brings increased cybersecurity concerns, but no consensus about or current push for a regulatory framework to address it, said IoT, cybersecurity and connected medical device experts at an FCBA CLE Wednesday evening. "Hard and fast rules aren't going to work," said NTIA Deputy Associate Administrator Evelyn Remaley.
Speakers said there can't be one fix for IoT cybersecurity for all devices. "There's no tamper-resistant bottle solution," said cybersecurity lawyer Clete Johnson of Wilkinson Barker. There's need for certainty in the form of all participants knowing responsibilities, but that's difficult given the developing market, he said. AT&T Vice President-Global Public Policy Jeff Brueggeman told us industry likes the approach the U.S. is taking, with the FTC mirroring its enforcement to the National Institute of Standards and Technology cybersecurity framework, which helps ensure uniform policy and approach.
That NIST framework, while useful, is "thick" and difficult for a small business to go through and implement, said ACT|The App Association Senior Policy Counsel Brian Scarpelli. He said rather than a legislative fix for connected device cybersecurity concerns, a better public policy approach would be a governmental oversight coordination role, as envisioned in the Developing Innovation and Growing the Internet of Things Act (HR-686) before the House Commerce Committee.
Many nations are taking a more prescriptive, regulatory approach than the U.S. to connected medical device cybersecurity, following China's and the European Union's lead, Scarpelli said. He also said there's "a blurry line" in the U.S. over authority for consumer protection for connected medical devices, with perhaps the FTC needing to be at the center.
Last October's distributed denial of service attack involving Mirai malware was "essentially a nuisance," but it generated multiple times the volume of traffic that Iranian DDoS attacks did a handful of years earlier, showing the kind of damage posed by even a relatively unsophisticated botnet attack, Johnson said. "There is a long way to go" before there's a coherent response system to such attacks. He said accountability issues "aren't entirely clear," but responsibility doesn't stop at the device level.
Connected medical devices are an area "ripe for attack" because multiple stakeholders -- from medical device manufacturers to hospitals to wireless networks -- often operate under differing rules, said Sonali Gunawardhana of Wiley Rein, who represents medical device manufacturers. The WannaCry ransomware attacks earlier this year revealed confusion about what goes into IoT devices, with hospitals not knowing if they're vulnerable because they -- and often vendors -- don't know what software they use, Remaley said. One idea is a "bill of materials" for IoT devices, showing what software components are used, she said.
The FTC's 2015 report urging a variety of IoT security and privacy steps (see 1501270034) foreshadowed problems manifested by the Mirai attack, but still not all connected products are properly thought of as potential threats, said Laura Riposo VanDruff, the agency's assistant director-Division of Privacy and Identity Protection. The FTC is studying mobile security issues, including how security updates are pushed to mobile handsets, with a report in the next few months, VanDruff said. The agency's handling last year of Nest Labs' ending support for its Revolv smart home product -- with the commission opting to take no action after looking at the limited number of units sold and Nest's refund policy -- helps show how it looks at such issues, she said.
With one NTIA working group having issued recommended guidelines this summer about consumer notifications (see 1707180006), its three other IoT working groups are expected to come to consensus on their reports in early November, with the agency convening a multistakeholder meeting in early December to start discussing next steps, Remaley said.
A problem needing addressing is healthcare industry reticence about disclosing cybersecurity vulnerabilities, though it's not common to be successfully sued for such proactive disclosures, said Food and Drug Administration Cybersecurity Project Manager Seth Carmody. He said connected medical devices pose "a deep inertial problem" for the healthcare industry since medical devices historically haven't been designed to rebuff malicious misuse and the FDA traditionally hasn't been set up to look at such issues. He said the agency took a stance that companies that share information about cybersecurity problems that are addressed quickly and can't harm people are less likely to face product recalls.