The IoT and the United States Government

Risks and shortfalls associated with the IoT are addressed directly by the IoT Cybersecurity Improvement Act of 2017 and the DHS Strategic Principles for Securing the Internet of Things. The DHS Strategic Principles for Securing the Internet of Things underpin the HoT-TAIs.

These risks and shortfalls are also addressed indirectly by the components within the two cybersecurity related mission priorities of the DHS Fiscal Years (FY) 2014-2018 Strategic Plan and specific statements, requirement, and mandates within the Homeland Security Act of 2002, PPD-21, Executive Order 13800 (President Trump), Executive Order 13636 (President Obama), the NIPP, the National Cybersecurity Protection Act of 2014, the Cybersecurity Enhancement Act of 2014, the Cybersecurity Information Sharing Act of 2014, the Cybersecurity and Infrastructure Protection Agency Act of 2016, the State and Local Cyber Protection Act of 2015, the Cyber Preparedness Act of 2016, the Small Business Cyber Security Improvement Act of 2016, and the NIST Framework for Improving Critical Infrastructure Cybersecurity.

After thorough review of applicable laws and policies, the importance of collaboration, critical infrastructure protection and cybersecurity is evident from Federal and SLTT governments to small businesses. Moreover, it is evident that mitigating risks where critical infrastructure and cyberspace meet are of upmost priority to the USG. IoT devices are typically at the center of this meeting point. The extremely high risks presented to homeland security by the IoT is attributed to the growing sophistication of human threats, the abundance of vulnerabilities, and the exponential growth of the IoT within critical and non-critical infrastructure. Failure to mitigate the risks associated with the IoT within critical infrastructure could result in a catastrophic event that will have both tangible and intangible effects including the compromise of our Nation’s security, prosperity, and values. Additionally, this catastrophic event could have a global impact affecting the global economy and international order.

White House / POTUS

During the original research of this section, the President of the United States (POTUS) was Barack Obama. President Obama's PPD-21 and EO 13636 focused on cybesecurity as it pertains to critical infrastructure. The summary of both documents is given below by DHS. President Donald Trump has now issued EO 13800, a summary is given below from the US-CERT.

EXECUTIVE ORDER 13800: STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE: To improve the Nation’s cyber posture and capabilities in the face of intensifying cybersecurity threats to its digital and physical security. EO 13800 initiates action on four fronts:

1. It secures the Federal networks that operate on behalf of the American people.
2. It encourages collaboration with industry to protect critical infrastructure that maintains the American way of life.
3. It strengthens the deterrence posture of the United States and builds international coalitions.
4. It places much needed focus on building a stronger cybersecurity workforce, which is critical for the Nation’s long term ability to strengthen its cyber protections and capabilities.

The EO consists of three sections: Cybersecurity of Federal Networks, Cybersecurity of Critical Infrastructure, and Cybersecurity for the Nation. A Working Group of representatives from across the U.S. Government has been formed to implement EO work.

Presidential Policy Directive-21 (President Obama): Critical Infrastructure Security and Resilience replaces Homeland Security Presidential Directive-7 and directs the Executive Branch to:

• Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time
• Understand the cascading consequences of infrastructure failures
• Evaluate and mature the public-private partnership
• Update the National Infrastructure Protection Plan
• Develop comprehensive research and development plan

Executive Order 13636 (President Obama): Improving Critical Infrastructure Cybersecurity directs the Executive Branch to:

• Develop a technology-neutral voluntary cybersecurity framework
• Promote and incentivize the adoption of cybersecurity practices
• Increase the volume, timeliness and quality of cyber threat information sharing
• Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure
• Explore the use of existing regulation to promote cyber security

Congress (Senate and House of Representatives)

The IoT Cybersecurity Improvement Act of 2017, addresses several key points according to the article on U.S. Sens. Mark R. Warner's (D-VA) website:

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-OR) and Steve Daines (R-MT) today introduced bipartisan legislation to improve the cybersecurity of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require that devices purchased by the U.S. government meet certain minimum security requirements.

Under the terms of the bill, vendors who supply the U.S. government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements. The bill, drafted in consultation with technology and security experts from institutions such as the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, also promotes security research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers abiding by those policies.

The Internet-of-Things, the term used to describe the growing network of Internet-connected devices and sensors, is expected to include over 20 billion devices by 2020. While these devices and the data they collect and transmit present enormous benefits to consumers and industry, the relative insecurity of many devices presents enormous challenges. Sometimes shipped with factory-set, hardcoded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. Over the past year, IoT devices have been used by bad actors to launch devastating Distributed Denial of Service (DDoS) attacks against particular websites, web-hosting servers, and internet infrastructure providers.

“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Sen. Warner. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”

“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices operating on our networks within the next several years,” said Sen. Gardner. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks. This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space. As co-chairs of the Senate Cybersecurity Caucus, Senator Warner and I are committed to advancing our nation’s cybersecurity defenses and this marks an important step in that direction.”

“I’ve long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act. This bill is a bipartisan, common-sense step in the right direction. This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company. Enacting this bill would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals,” Sen. Wyden said.

“Information is a form of currency,” Sen. Daines stated. “We need to have to proper safeguards in place to ensure that our information is protected while still encouraging innovation.”

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:

• Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
• Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
• Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
• Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
• Require each executive agency to inventory all Internet-connected devices in use by the agency.

The bill has endorsements from the Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Mozilla, Cloudflare, Neustar, the Niskanen Center, Symantec, TechFreedom, and VMware. For a full list of endorsements, and to read a one-pager on the bill, please click here.

“Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, or spill over to people who aren't the purchasers,” said Jonathan Zittrain, Co-Founder of Harvard University’s Berkman Klein Center for Internet & Society. “This bill deftly uses the power of the Federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products. This will help everyone in the marketplace, including non-governmental purchasers and the vendors themselves, since they'll be encouraged together to take steps to secure their products.”

“The proliferation of insecure Internet-connected devices presents an enormous security challenge,” said Bruce Schneier, Fellow and Lecturer at Harvard Kennedy School of Government. “The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his cosponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government. Additionally, I appreciate Senator Warner's recognition of the critical role played by security researchers and the exemptions included in this legislation for good-faith security research.”

"We urgently need to start securing the internet of things, and starting with the government's own devices is an important first step,” said Michelle Richardson, Deputy Director of the Freedom, Security and Technology Project, Center for Democracy and Technology. “This legislation will push government devices to meet modern security standards, and ensure that researchers who act in good faith can independently verify the security of those devices. We hope that Congress will consider this proposal soon, and look forward to a discussion about the security of government systems, where the market for Internet of Things devices is headed, and how independent research can contribute."

“Cloudflare applauds Senator Warner for his efforts to encourage security research and to use the government procurement process to make the U.S. Government a leader in addressing the risks posed by improperly secured IoT devices. The worldwide internet outages caused last year by devices infected with the Mirai malware highlighted the need for more robust discussions about securing IoT devices. This bill should open an important dialogue on those issues, and Cloudflare looks forward to continuing to work with Senator Warner as the bill moves forward,” said Doug Kramer, General Counsel, Cloudflare Inc.

Sen. Warner wrote to the Federal Trade Commission (FTC) in July 2016 raising concerns about the security of children’s data collected by Internet-connected “Smart Toys.” In May 2017, the Senator wrote a follow-up letter to Acting FTC Chairwoman Maureen Ohlhausen reiterating his concerns following comments by the Chairwoman that the risks of IoT devices are merely speculative. In response to the Senator’s concerns, the FTC issued updated guidance on protecting children’s personal data in connected toys. Immediately in wake of October’s devastating DDoS attack on the nation’s internet infrastructure by the Mirai botnet, Sen. Warner wrote the FCC, FTC, and NCCIC to raise concerns about the proliferation of botnets composed of insecure devices. Sen. Warner also wrote to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly in May 2017 asking what steps the Federal Government had taken to defend against WannaCry ransomware.

Sen. Warner, the Vice Chairman of the Senate Select Committee on Intelligence and former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus and a leader in Congress on security issues related to the Internet-of-Things (IoT).

Bill text is available here.

The Cybersecurity and Infrastructure Protection Agency Act of 2016 states that the Cybersecurity and Infrastructure Protection Agency (CIPA) must:

Administer a National Infrastructure Coordination Center to be co-located with the National Cybersecurity and Communications Integration Center (NCCIC) to collect, share, and provide recommendations about critical infrastructure information [15]

Perform critical infrastructure assessments to determine the risks posed by particular types of terrorist attacks within the United States [15]

Recommend measures necessary to protect critical infrastructure in coordination with other federal entities and in cooperation with nonfederal entities [15]

The Cyber Preparedness Act of 2016 amends the Homeland Security Act of 2002 to require the Department of Homeland Security's (DHS's) State, Local, and Regional Fusion Center Initiative to coordinate with the national cybersecurity and communications integration center (NCCIC) to provide state, local, and regional fusion centers with expertise on DHS cybersecurity resources [17]. (A fusion center serves as a focal point within the state and local environment for the receipt, analysis, gathering, and sharing of threat related information between the federal government and state, local, tribal, territorial, and private sector partners) [17]. The Act states that DHS must:

Provide timely access to technical assistance, risk management support, and incident response capabilities for cybersecurity threat indicators, defensive measures, risks, and incidents, including cybersecurity risks to equipment and technology related to the electoral process; [17]

Review cybersecurity risk information gathered by fusion centers to incorporate into DHS's cybersecurity risk information; [17]

Disseminate cybersecurity risk information to fusion centers. [17]

The Small Business Cyber Security Improvement Act of 2016 directs the Small Business Administration (SBA) and DHS to include in their small business development centers (SBDC) cyber strategy:

Counsel[ing] and assistance to improve small businesses’ cyber security infrastructure, threat awareness, and training programs for employees, including agreements with Information Sharing and Analysis Centers to gain awareness of actionable threat information that may be beneficial to small businesses; and an analysis of how SBDCs can leverage federal agency programs and develop partnerships to improve cyber support services to small businesses [18].

The State and Local Cyber Protection Act of 2015 amends the Homeland Security Act of 2002 to require the DHS’s NCCIC to assist state and local governments with cybersecurity by:

Upon request, identifying system vulnerabilities and information security protections to address unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by, or information systems used or operated by, state or local governments or other organizations or contractors on their behalf; [16]

Providing via a web portal updated resources and guidelines related to information security; [16]

Coordinating through national associations to implement information security tools and policies to ensure the resiliency of state and local information systems; [16]

Providing training on cybersecurity, privacy, and civil liberties; [16]

Providing requested technical assistance to deploy technology that continuously diagnoses and mitigates cyber threats and to conduct threat and vulnerability assessments; [16]

Coordinating vulnerability standard developed by the National Institute of Standards and Technology; [16]

Ensure that state and local governments are aware of DHS resources and other federal tools to ensure the security and resiliency of federal civilian information systems. [16]

The National Cybersecurity Protection Act of 2014 mandates that:

The Under Secretary appointed under section 103(a)(1)(H) shall, in coordination with appropriate Federal departments and agencies, State and local governments, sector coordinating councils, information sharing and analysis organizations (as defined in section 212(5)), owners and operators of critical infrastructure, and other appropriate entities and individuals, develop, regularly update, maintain, and exercise adaptable cyber incident response plans to address cybersecurity risks (as defined in section 226) to critical infrastructure [12].

This requires a thorough assessment of the software and hardware components of critical infrastructure which is typically implemented as an IoT node, whether in the form of an ICS/SCADA solution or another category of IoT node. Title II – Cybersecurity Research and Development section (201)(a)(1) of the Cybersecurity Enhancement Act of 2014 states that applicable agencies and departments will work with the National Science and Technology Council and the Network and Information Technology Research and Development Program to develop a strategic plan to meet the following objectives:

How to test and verify that software and hardware, whether developed locally or obtained from a third party, is free of significant known security flaws; [13]

How to test and verify that software and hardware obtained from a third party correctly implements stated functionality, and only that functionality; [13]

The Cybersecurity Information Sharing Act of 2014 section 103 states that:

This title requires the Director of National Intelligence (DNI) and the Departments of Homeland Security (DHS), Defense (DOD), and Justice (DOJ) to develop and promulgate procedures to promote the sharing of: (1) classified and declassified cyber threat indicators in possession of the federal government with private entities, nonfederal government agencies, or state, tribal, or local governments; (2) unclassified indicators with the public; (3) information with entities under cybersecurity threats to prevent or mitigate adverse effects; and (4) cybersecurity best practices with attention to the challenges faced by small businesses [14].

Department of Homeland Security (DHS)

The DHS Strategic Principles for Securing the Internet of Things states that:

Many of the vulnerabilities in IoT could be mitigated through recognized security best practices, but too many products today do not incorporate even basic security measures. There are many contributing factors to this security shortfall. One is that it can be unclear who is responsible for security decisions in a world in which one company may design a device, another supplies component software, another operates the network in which the device is embedded, and another deploys the device. This challenge is magnified by a lack of comprehensive, widelyadopted international norms and standards for IoT security. Other contributing factors include a lack of incentives for developers to adequately secure products, since they do not necessarily bear the costs of failing tdo do so, and uneven awareness of how to evaluate the security features of competing options. The following principles, offer stakeholders a way to organize their thinking about how to address these IoT security challenges:

• Incorporate Security at the Design Phase: Security should be evaluated as an integral component of any network-connected device. While there are notable exceptions, economic drivers motivate businesses to push devices to market with little regard for security.

• Promote Security Updates and Vulnerability Management: Even when security is included at the design stage, vulnerabilities may be discovered in products after they have been deployed. These flaws can be mitigated through patching, security updates, and vulnerability management strategies.

• Build on Recognized Security Practices: Many tested practices used in traditional IT and network security can be used as a starting point for IoT security. These approaches can help identify vulnerabilities, detect irregularities, respond to potential incidents, and recover from damage or disruption to IoT devices.

• Prioritize Security Measures According to Potential Impact: Risk models differ substantially across the IoT ecosystem, as do the consequences of security failures. Focusing on the potential consequences of disruption, breach, or malicious activity is critical for determining where in the IoT ecosystem particular security efforts should be directed.

• Promote Transparency across IoT: Where possible, developers and manufacturers need to know their supply chain, namely, whether there are any associated vulnerabilities with the software and hardware components provided by vendors outside their organization. Increased awareness can help manufacturers and industrial consumers identify where and how to apply security measures or build in redundancies.

• Connect Carefully and Deliberately: IoT consumers, particularly in the industrial context, should deliberately consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption.

The National Infrastructure Protection Plan (NIPP) states that:

Critical infrastructure that has long been subject to risks associated with physical threats and natural disasters is now increasingly exposed to cyber risks, which stems from growing integration of information and communications technologies with critical infrastructure operations and an adversary focus on exploiting potential cyber vulnerabilities [10].

Within “Mission 4: Safeguard and Secure Cyberspace” of the Department of Homeland Security’s FY 2014-2018 Strategic Plan are two Mission Priorities:

Reduce national cyber risk through the Cybersecurity Framework, threat awareness, public awareness campaigns, and best practices, all of which increase the baseline capabilities of critical infrastructure [11].

Enhance critical infrastructure security and resilience, with respect to physical and cyber risks, by reducing vulnerabilities, sharing information on threat, consequences and mitigations, detecting malicious activity, promoting resilient critical infrastructure design, and partnering with critical infrastructure owners and operators [11].

• DHS ICS-CERT
• NCCIC
• National Council of ISACs
• https://ics-cert.us-cert.gov/advisories

Federal Trade Commission (FTC)

Over the last few years the FTC has been heavily involved in discussions regarding IoT security. The FTC has chosen not to regulate the IoT, citing that the impacts against innovation. Some notable articles and guides from the FTC on the IoT are below:

• FTC Announces Winner of its Internet of Things Home Device Security Contest

• Careful Connections: Building Security in the Internet of Things

• Internet of Things: Privacy & Security in a Connected World

National Institute of Standards and Technology (NIST)

The NIST Framework for Improving Critical Infrastructure Cybersecurity (FICIC) can be applied to more than critical infrastructure. The FICIC 1) builds from existing standards, guidelines, and practice, 2) Is technology neutral", 3) Provides a "common taxonomy and mechanism" for organizations to "describe their current cybersecurity posture", "their target state for cybersecurity", "identify and prioritize opportunities for improvement within the context of a continuous and repeatable process", "assess progress toward the target state", and "communicate among internal and external stakeholders about cybersecurity risk".

State, Local, Territorial, and Tribal (SLTT) governments

TBD