Seeking Cybersecurity Alignment via Collaboration
September 24, 2019
September/October 2019
More articles in this issue:
The new “Internet of Things Security Baseline” plan shows what can be done by a public-private collaboration facing an urgent global problem – cybersecurity intrusions that affect all aspects of technology, including power and public utility facilities, personal health monitors and smart home/smart car capabilities.
One word keeps emerging from industry and government experts working on the problems: “Alignment.” Standards makers and regulators emphasize their objectives to “align” policies and principles so that security solutions work effectively across many platforms and devices.
The C2 (“Convene the Conveners”) group of nearly two dozen industry organizations recently issued its C2 Consensus on IoT Device Security Baseline Capabilities report, aligned with the work of the National Institute of Standards and Technology (NIST) and other government agencies. NIST leads a federal task force (which also draws on private sector expertise) to establish a baseline for assuring cybersecurity in IoT devices.
The C2 draft acknowledges that many efforts and many standards are emerging as global industry groups and regulators grapple with the new challenges of digital evildoers. The report says the multiplicity of technical experts’ “well-thought-out and effective recommendations” have raised more questions “about where to start, how to consider such a wealth of overlapping recommendations, and which ones to follow.”
That’s why there is “a need for a common baseline of security capabilities for all IoT devices” to assure “efficiencies of scale in development, manufacturing, support, training, assessment and identification of IoT products with increased security controls, according to the C2 report.
IoT and Insecurity
Finding successful protections that make financial sense and meet public policy objectives are at the heart of the cybersecurity projects. Among the challenges are finding cost-effective ways to assure security in low-cost sensors and ensuring that protective systems meet privacy criteria. The report notes the deluge of IoT devices that “introduce new concerns regarding the safety, reliability, security, resilience and privacy of the device, leading to potential reduction in the overall trustworthiness of the system.”
The C2 initiative, which was coordinated by the Council to Secure the Digital Economy and CTA, includes groups such as the Association of Home Appliance Manufacturers, Cable Television Laboratories Inc., CTIA, the Internet of Secure Things, Underwriters Laboratories Inc., the U.S. Chamber of Commerce and the United States Telecom Association. Bergman explains that each of these industry groups convenes their own membership and security experts, so the C2 effort—“convene the conveners”—is leveraging expertise far and wide.
Bergman points out that the C2 white paper is one step toward a formal technical standard. CTA is developing a cybersecurity standard designated as “ANSI/CTA-2088,” which is expected to be ready by year’s end. Among the goals of that document is creation of a national standard that can be adopted by manufacturers, retailers and others – thus establishing a single, unified benchmark before state or regional standards muddle the security barriers.
Matthew Eggers, VP of cybersecurity policy, national security and emergency preparedness at the U.S. Chamber of Commerce, explains that developing a cybersecurity baseline is vital, not just for companies but also to help policymakers appreciate the importance of the issues. Eggers calls “strong devices” the centerpiece for security.
“We want to see those strong devices out into the marketplace, so they are ubiquitous,” he says. “We also want to get the attention of policymakers.”
Eggers says pricing – and the entire cost versus value issue – is a challenge, although he believes that “the cost issue will resolve itself over time.” Most significantly, the Chamber’s focus is supporting “certainty and protections,” especially so that multinational producers can rely on a cyber program that is uniform wherever they operate and sell merchandise – what Eggers calls a “baseline that is good for industry and for the ecosystem.”
Urgent Attention Needed
Analyses, such as the Cyber Incident & Breach Trends Report from the Internet Society’s Online Trust Alliance, cite weak spots that have allowed ransomware, data breaches and distributed denial-of-service (DDoS) attacks. Symantec’s Internet Security Threat Report 2019 notes that DDoS represented 80% of IoT-based attacks last year. And Symantec notes “there are signs that the objectives and methods of IoT attackers are becoming more diverse.”
“We’re not trying to cry wolf” about the threat of physical world IoT threats, writes Candid Wueest, senior principal threat researcher at Symantec Security Response in a blog. “Those types of attacks will likely grow in frequency.”
A CTA study found that the top use of AI in 2018 was in cybersecurity, detecting and deterring security intrusions. According to CTA, 44% of all AI applications were used to automate cybersecurity tasks by using deep-learning algorithms to find patterns in data and to detect vulnerable user behaviors
Capitalizing on the Cloud's Security Capabilities
All these industry and government cyber initiatives are leading to the cloud, says Michael Nelson, a Washington policy executive specializing in internet security. “Cybersecurity models will have to change for the Internet of Things,” he adds. Nelson has worked at the White House, on Capitol Hill, for major tech firms and taught internet security at Georgetown University. “We should think of it as a “cloud of things” rather than IoT because it’s “all about data security, not network security. And security is in the cloud.
“IoT devices are often so simple that you cannot provide all the security features within them,” Nelson continues. “The solution is to create cloud-based gateways to control access to the device and also to prevent them from being used in attacks on other devices on the internet.” He also cautions against “misguided attempts to impose security checklists on every device.”
He says baseline agreements are necessary to assure security through many devices and components. “The scariest problem is that some devices get plugged into a corporate system, which means that if hackers break into a vendor’s server, the effect can then radiate out to other devices attached to that source,” Nelson says. Placing the protection in the cloud can prevent those attacks.
Jack Cutts, senior director of industry and business intelligence, CTA, recommends that companies leverage the cloud to protect against DDoS or malware implantation. “Since so much of our data traverses the cloud when traveling to and from our devices, the centralized cloud is the logical and cost-effective place to scan for malware, to fight malicious bots and to flag suspicious transactions in real time,” Cutts explains. He also acknowledges the value of cybersecurity specialists who are “often best-suited to distill lessons learned from across industry verticals to inform the most holistic views possible of what the threat landscape looks like.”
“The advent of cloud computing combined with the huge advances in machine learning and artificial intelligence mean that cybersecurity firms are well place to have sustained, measurable impact,” Cutts says.
Diana Volere, chief evangelist at Saviynt Inc., a Seattle data infrastructure and cloud security firm, agrees that the cloud offers cybersecurity solutions to combat the vulnerabilities in the rapid expansion of IoT devices. She calls it “fairly disturbing” that the fast acceleration of IoT devices has meant that companies are “not adopting published standards and adhering to them.”
She cites problems such as manufacturers who do not source components from reliable manufacturers. “Chips and technology could be compromised before they hit the shelves,” Volere explains, which means that when they are plugged into the network, they can cause immense harm. “The fact that we don’t have standards in place is one thing,” Volere says, but “organizations that are handling personal data should be aware” of ways to assure protection.
Cynthia Brumfield, a cybersecurity analyst and publisher of Metacurity, gives a shout-out to ideas that are coming from “a host of cybersecurity startups that have raised hundreds of millions of dollars to build security into IoT devices. She points to ventures that seek “to help users better position themselves to ensure the security of those devices. Even browser makers such as Mozilla are incorporating guides to IoT device security.”
Inevitably the intense efforts of government and industry groups to find solutions to the growing cybersecurity challenges will generate valuable solutions. The share goal of “aligned” policies will also face some hurdles – if only because of the cornucopia of expertise. As the C2 report points out a major challenge may be “how to consider such a wealth of overlapping recommendations and [decide] which ones to follow.”
CTA-2088 standard is an ANSI standard being developed by CTA’s R14 committee, Cybersecurity and Privacy Management. CTA-2088 covers the same IoT device ‘core’ baseline security capabilities, such as limiting internal device access to authorized users. This is equivalent to the “what” of this element of security: What is the expected capability?
The CTA-2088 standard goes the next step in asking “how?” How does a device show this capability? Manufacturers, retailers and assessment groups need to know the answer to this question. In engineering terms, they need a testable criterion.
Who Oversees it All?
Legislators in at least 45 states are examining how they can assure individuals and organizations with cybersecurity protections, especially for connected devices, financial and medical information and government services, according to the National Conference of State Legislatures. A few states have adopted laws, notably California’s Internet of Things regulations which go into effect on January 1, 2020. The new law (SB0-327) requires all connected-device makers to equip products with “reasonable security features or features to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.”
The prospect of dozens of state or regional regulations poses a challenge, even to those who are not eager for any national regulation of smart devices. CTA’s approach to cyber policy is to allow technical, consensus-driven standards and guidelines to lead the industry, rather than regulators. Regulatory requirements that differ by state or jurisdiction would inhibit security, says CTA, which seeks to promote global harmonization versus fragmentation of security specifications.
CTA’s policy is to support “consensus-based, voluntary standards and tools that promote adaptive device security,” and encourages policymakers to “focus on the baseline security approach and industry-led efforts that are not prescriptive to manufacturers in a single jurisdiction or region.”
Join our community of innovators and shape the future of technology.
