The US Government seems to have suddenly decided to take note of the dangers of the IoT – a new bipartisan Cybersecurity grouping wants to place new minimum security requirements on any government IoT contracts – while at the same time a Senate hearing has beaten up a number of private operations for letting hackers steal their data – in particular Equifax.
The new bill was introduced by Senators Warner, Cory Gardner, Maggie Hassan and Steve Daines with Republican Robin Kelly and Will Hurd introducing it to the House.
Like many bills of this type, once US government contracts rely on a particular approach to IoT security, it would be all too easy for US enterprises to adopt this as a minimum backstop for US commercial projects. And that just might make enough waves internationally to become by default the de facto security standard for the global IoT. It is a certainty that many outside security firms will be lobbying for involvement in any solution that will go US Government wide. The only problem is that a specialist system for government may end up not based on systems openly available in the market – the contract is large enough for a specialist to design it purely for the US Government – but let’s hope it is.
So far the politicians so far have simply described a process – that the US National Institute of Standards and Technology (NIST) will issue recommendations to address secure development, identity management, vulnerability patching, and configuration management for all US government purchased IoT devices. When you put it that way, it’s hard to think why someone hasn’t thought of this approach before, and insisted on protecting US government IoT devices sometime before during the last 5 very insecure years.
NIST will likely consult widely with US security specialists to establish these approaches if the Bill is voted through. Being bipartisan, what’s not to like – it will almost certainly go through on the nod. The idea is to them let the Office of Management and Budget (OMB) to issue these standards as guidelines for any agency buying IoT devices, in a consistent fashion. Then it would review the choices every five years.
NIST says it will work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
In Riot’s two recent reports one on IoT endpoint security and the other on Cyber security, the spending trends are rising – with endpoint security elements expected to rise to $6 billion by 2023, and Cybersecurity total costs to reach a massive $223.7 billion by 2024. All Riot customers have access to these reports (See here).
Funnily enough it was the 8,500 vulnerabilities which were totally ignored at Equifax which makes the report from Senators Tom Carper and Rob Portman, leading the permanent subcommittee on Homeland investigations, such damning reading. 1,000 of those vulnerabilities were said to be “critical” and were announced as such in notifications.
If we simply accept the report from the two senators, there was no process in place at Equifax to patch vulnerabilities, there was also no tracking system in place to show which vulnerabilities had been fixed. But the security weaknesses go further, and it comes down to a “culture of indifference,” towards security among senior management.
Even that is not the extent of the inaction. Senior management were appraised of the system vulnerabilities back in 2015, but in 2017 the system lost 145 million personal data records to a hack, and not a hack on a particular day that was immediately noticed – the door was wide open for three months. Only this week has the report from the Senators emerged detailing how the company closed ranks and tried to pretend that it didn’t try to “cover it up.” It took six weeks to own up to it, it deleted messaging conversations of technical staff who were trying to raise the issue, and get something done about it.
Going back to the new security measures the US government is trying to adopt, it is unlikely that anything like this is ever going to happen to major government. It is the profit motive that leads to spending on security being treated like a grudge purchase and dollars are guide away from protecting data. The US Government is usually more careful with data. What the bipartisan Cybersecurity grouping is trying to avoid is not so much a hack, as Government owned devices being used in a Distributed Denial of Service attack, and the responsibility that such an act brings.
The two senators looking into Equifax cleverly explored how its rivals Experian and TransUnion dealt with the same kinds of vulnerabilities, and of course it was not rocket science, simply good practice and both had different but sufficient systems in place, so why not Equifax
When asked about it by journalists this week we said, “Anything less than a senior management cull of Equifax would be a betrayal of the customers the company serves.” But we doubt very much that this can be orchestrated by the Homeland Security sub-committee, and instead this will have to be through share price fallout and activist shareholder behavior. The Equifax hack was in September 2017, and the share price was over $140 the day before. Today it remains $111, still some way below that price, and as this goes through the news once more, it is unlikely to rise higher in the near term.
Executives will always say that the cost of security is prohibitive and that anyone can be hacked, but that is far from the truth – hackers look for low hanging fruit and if your company security is low hanging, then your fruit will be picked. The changes required are not excessive for a rich business like Equifax because security is not a mystery. There are many companies that can audit and make recommendations, for stronger security, and their cost is not exorbitant, but it can amount to a few percentage points of profit.