[Senate Hearing 116-356]
[From the U.S. Government Publishing Office]
S. Hrg. 116-356
STRENGTHENING THE CYBERSECURITY
OF THE INTERNET OF THINGS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON SECURITY
of the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
APRIL 30, 2019
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available online: http://www.govinfo.gov
_________
U.S. GOVERNMENT PUBLISHING OFFICE
42-448 PDF WASHINGTON : 2023
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
ROGER WICKER, Mississippi, Chairman
JOHN THUNE, South Dakota MARIA CANTWELL, Washington,
ROY BLUNT, Missouri Ranking
TED CRUZ, Texas AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska EDWARD MARKEY, Massachusetts
CORY GARDNER, Colorado TOM UDALL, New Mexico
MARSHA BLACKBURN, Tennessee GARY PETERS, Michigan
SHELLEY MOORE CAPITO, West Virginia TAMMY BALDWIN, Wisconsin
MIKE LEE, Utah TAMMY DUCKWORTH, Illinois
RON JOHNSON, Wisconsin JON TESTER, Montana
TODD YOUNG, Indiana KYRSTEN SINEMA, Arizona
RICK SCOTT, Florida JACKY ROSEN, Nevada
John Keast, Staff Director
Crystal Tully, Deputy Staff Director
Steven Wall, General Counsel
Kim Lipsky, Democratic Staff Director
Chris Day, Democratic Deputy Staff Director
Renae Black, Senior Counsel
------
SUBCOMMITTEE ON SECURITY
DAN SULLIVAN, Alaska, Chairman EDWARD MARKEY, Massachusetts,
ROY BLUNT, Missouri Ranking
TED CRUZ, Texas, AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut
MARSHA BLACKBURN, Tennessee BRIAN SCHATZ, Hawaii
MIKE LEE, Utah TOM UDALL, New Mexico
RON JOHNSON, Wisconsin TAMMY DUCKWORTH, Illinois
TODD YOUNG, Indiana KYRSTEN SINEMA, Arizona
RICK SCOTT, Florida JACKY ROSEN, Nevada
C O N T E N T S
----------
Page
Hearing held on April 30, 2019................................... 1
Statement of Senator Sullivan.................................... 1
Statement of Senator Markey...................................... 2
Statement of Senator Scott....................................... 82
Statement of Senator Sinema...................................... 84
Statement of Senator Fischer..................................... 86
Statement of Senator Blumenthal.................................. 91
Statement of Senator Klobuchar................................... 93
Statement of Senator Cantwell.................................... 95
Statement of Senator Moran....................................... 97
Witnesses
Charles H. Romine, Ph.D., Director, Information Technology
Laboratory, National Institute of Standards and Technology,
United States Department of Commerce........................... 4
Prepared statement........................................... 6
Matthew J. Eggers, Vice President, Cybersecurity Policy, U.S.
Chamber of Commerce............................................ 11
Prepared statement........................................... 12
Robert Mayer, Senior Vice President for Cybersecurity,
USTelecom--The Broadband Association........................... 16
Prepared statement........................................... 18
Michael Bergman, Vice President, Technology and Standards,
Consumer Technology Association................................ 67
Prepared statement........................................... 68
Harley Geiger, Director of Public Policy, Rapid7................. 71
Prepared statement........................................... 73
Appendix
Response to written questions submitted to Charles H. Romine,
Ph.D. by:
Hon. Roger Wicker............................................ 109
Hon. Jerry Moran............................................. 109
Hon. Todd Young.............................................. 110
Hon. Amy Klobuchar........................................... 111
Response to written questions submitted to Matthew Eggers by:
Hon. Roger Wicker............................................ 111
Response to written question submitted to Robert Mayer by:
Hon. Roger Wicker............................................ 112
Hon. Todd Young.............................................. 113
Hon. Amy Klobuchar........................................... 113
Response to written questions submitted to Michael Bergman by:
Hon. Roger Wicker............................................ 114
Hon. Jerry Moran............................................. 116
Hon. Todd Young.............................................. 117
Response to written questions submitted to Harley Geiger by:
Hon. Roger Wicker............................................ 118
Hon. Jerry Moran............................................. 118
STRENGTHENING THE CYBERSECURITY
OF THE INTERNET OF THINGS
----------
TUESDAY, APRIL 30, 2019
U.S. Senate,
Subcommittee on Security,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:30 p.m., in
room SD-562, Dirksen Senate Office Building, Hon. Dan Sullivan,
Chairman of the Subcommittee, presiding.
Present: Senators Sullivan [presiding], Fischer, Moran,
Young, Scott, Markey, Cantwell, Klobuchar, Blumenthal, Sinema,
and Rosen.
OPENING STATEMENT OF HON. DAN SULLIVAN,
U.S. SENATOR FROM ALASKA
Senator Sullivan. The Subcommittee on Security will now
come to order.
In our increasingly interconnected world, the devices and
systems that make up the Internet of Things deliver substantial
benefit to end users. By the year 2020, the number of connected
devices may exceed 50 billion, offering a wide range of new
capabilities for consumer products, including everything from
home appliances to medical devices to industrial control
systems. However, these new technologies are susceptible to
unprecedented security challenges that are becoming apparent,
increasingly, day by day.
Cybercrime and cyber espionage have serious impacts on
consumers and companies, including damage to company
performance, trade, competitiveness, and innovation for our
country, writ large. In recent years, cybercrime has been
estimated to cost the global economy anywhere from $375 to $575
billion annually. As we discussed in the Subcommittee's
inaugural hearing, China is a major player in cyber espionage,
and this activity continues against U.S. companies, going
largely unabated, despite Chinese government-level assurances
that they are going to discontinue these kind of activities,
another area of what I refer to as ``promise fatigue,'' where
we get commitments from China, year after year, decade after
decade, and they don't follow through on any of them. ``Promise
fatigue.'' These state-driven cyberattacks give Chinese
enterprises an edge in international deals, specifically to
obtain information related to bid prices, contracts, and
mergers and acquisitions, let alone the damage this does to our
own national security. It has been estimated that China was the
number-one source for Internet of Things attacks in 2018,
responsible for 24 percent of the average 5,200 monthly attacks
on U.S. cybersecurity firm Symantec's IoT honeypot. Last year
alone, U.S. authorities issued 19 indictments related to
Chinese cyber espionage in the most recent year.
One of the largest Internet of Things cyberattacks was
recently prosecuted in my home State of Alaska. In October
2016, the Mirai botnet was used in a large-scale attack by
enslaving poorly secured IoT devices, like wireless routers and
security cameras, including devices in Alaska, and using the
devices to bombard the servers of target companies, preventing
many users from accessing major websites, including Amazon,
Spotify, Reddit, and Twitter. While the authors and
perpetrators of the attack have been identified and prosecuted,
it was not before the release of the source code online
spawning dozens of copycat and potential causes to Internet
outages through manipulation of unsecured Internet of Things
devices. Sound security practices must keep pace with the
expansion of the Internet of Things in order to mitigate these
threats.
Over the last few years, the Commerce Committee has
supported the public/private partnership approach to
cybersecurity, including the enactment of the Cybersecurity
Enhancement Act, to provide for the development of voluntary--
of a voluntary framework to reduce cyber risk to critical
infrastructure, as well as Senate passage of the DIGIT Act to
establish a working group to focus on how to plan for and
encourage the growth of Internet of Things.
This hearing, as part of an oversight hearing, will serve
to emphasize the value in continued public/private partnership
collaboration to advance our shared interests in strengthening
cybersecurity as well as the value in fostering cybersecurity
standards that are voluntary, flexible, performance-based, and
cost-effective. We'll be hearing from both government and
industry stakeholders to examine the security threats and
challenges and ways to incentivize building more cybersecurity
by design into connected devices and the networks that support
them.
With that, I want to thank our witnesses for being here
today. I look forward to hearing their thoughts on these
important issues.
And I now recognize Ranking Member Markey for any opening
statements he may have.
STATEMENT OF HON. EDWARD MARKEY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Markey. Yes. And again, thank you, Mr. Chairman.
Thank you for this very important hearing and phenomenal panel
which you have put together, and the subject matter that we are
going to consider.
Cybersecurity has become one of the most critical security,
economic, and privacy issues facing our Nation, but it's
certainly not a new threat. As the Chairman of the House
Subcommittee on Telecommunications back in 1993, I convened two
hearings to explore what I called at the time ``the sinister
side of cyberspace.'' Cybersecurity was then an issue which was
of great concern. At those hearings, we saw how an ordinary
cellular telephone could be reprogrammed to become a scanner
capable of eavesdropping on other people's phone calls by just
turning it over and switching a few wires and then listening to
the cellphone calls of Congressmen in the Rayburn Building in
1993. We saw a videotape of how Dutch hackers broke into the
Pacific Fleet Command and the Kennedy Space Center from a
computer terminal in Amsterdam in 1993.
But, that was back in the old days. That was before
Facebook and WikiLeaks, when only birds tweeted. That was the
BF era, the Before Facebook era. We're now in an era which is
so much more dangerous than that now seemingly prosaic era that
I am referring to as dangerous, as it was at that time, even
when it was clear that developing a national policy for
cybersecurity was of fundamental importance for the future of
our national networks, our competitiveness internationally, and
our constituents' safety and security at home. So, it's not a
new issue.
Now, is the opportunity to develop that national policy.
And I thank you, Mr. Chairman, because, as this committee
begins shaping a national privacy law, we must include a robust
cybersecurity regime that truly protects the American public,
our industries, and government institutions from ``the sinister
side of cyberspace.'' We can, and we should, give people a
privacy bill of rights, providing people the right to tell
companies that they cannot share or sell their personal
information without consent.
But, you can't truly have privacy without ensuring your
personal information is protected from hackers. And there is no
better place to begin exploring what the cybersecurity regime
should look like than discussing cybersecurity protections for
the Internet of Things, or IoT. Because we know that North
Korean, Russian, Chinese hackers want to infiltrate our
networks and our own devices, so we need to know how we can
stop it. But, we also need to know how we stop domestic hackers
from compromising the information of Americans, as well.
Because there's no question that, while IoT holds the promise
of revolutionizing the way we live and we work, that we should
also be wary, because IoT also stands for the Internet of
Threats, which operates simultaneously. With as many as, as the
Chairman said, tens of billions of IoT devices--Internet-
connected thermostats, refrigerators, baby monitors, to name a
few--projected to be in our pockets, cars, homes by 2020, cyber
vulnerabilities will continue to pose a direct threat to
economic prosperity, privacy, and our Nation's security.
In 2016, for example, hostile actors launched a massive
denial-of-service attack, where hundreds of thousands of hacked
IoT devices--cameras, baby monitors, and home routers--were
commandeered and used to send overwhelming streams of Internet
traffic to core parts of the Internet's infrastructure.
Ultimately, several major websites were disrupted, including
Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, and the New
York Times. Recently, the Washington Post reported on a
troubling case, where hackers accessed an Internet-connected
baby monitor and used the device's speaker to beam pornographic
audio into a 3-year-old's bedroom. Cyber criminals were even
able to access a casino's high-roller database by hacking an
Internet-connected thermometer in a fish tank, granting them
access to the casino's network. There is clearly a Dickensian
quality to the Internet.
And IoT devices--and it's the best of Wi-Fi and the worst
of Wi-Fi simultaneously--it can enable, it can ennoble, it can
degrade, it can debase. We're here today to find out how we
stop the degrading and debasing of this system. And that's why
I'm so excited, Mr. Chairman, for the opportunity to explore
these opportunities to enhance our cyber defenses, including
discussing my Cyber Shield Act, legislation that would create a
voluntary cybersecurity certification program for IoT devices.
I want to thank the witnesses for testifying, and you, Mr.
Chairman, for this very important hearing.
Senator Sullivan. Great. Well, thank you, Senator Markey.
And we have votes, here, so we're going to be doing a
little bit of a dance to make sure we continue the hearing as
we go to vote.
But, I do want to welcome our witnesses here. We have a
great group of witnesses on an issue that I think the entire
country is focused on and we, in the Congress, need to get our
arms around: Mr. Charles Romine, Director of Information
Technology Laboratory, the National Institutes of Standards and
Technology; Matthew Eggers, the Vice President of Cybersecurity
Policy at the U.S. Chamber of Commerce; Mr. Robert Mayer, the
Senior Vice President for Cybersecurity, USTelecom, for The
Broadband Association; Mr. Michael Bergman, Vice President of
Technology and Standards for the Consumer Technology
Association; and Mr. Harley Geiger, Director of Public Policy,
Rapid7. Is that correct?
So, thank you. I will ask each of you to present your oral
testimony in 5 minutes or less. And, of course, a longer
written statement will be included for the record.
Mr. Romine, we'll begin with you, sir.
STATEMENT OF CHARLES H. ROMINE, Ph.D., DIRECTOR,
INFORMATION TECHNOLOGY LABORATORY,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY,
UNITED STATES DEPARTMENT OF COMMERCE
Dr. Romine. Thank you. Chairman Sullivan, Ranking Member
Markey, and members of the Subcommittee, I'm Charles Romine,
the Director of the Information Technology Laboratory at the
Department of Commerce's National Institute of Standards and
Technology, or NIST. Thank you for the opportunity to testify
today on strengthening the cybersecurity of the Internet of
Things. Today, I will discuss NIST's role in cultivating trust
in the security of the Internet of Things.
In the area of cybersecurity, NIST has worked with Federal
agencies, industry, and academia since 1972, when it helped
develop and publish the data-encryption standard. Today, NIST's
Cybersecurity for the Internet of Things Program supports the
development and application of standards, guidelines, and
related tools to improve the cybersecurity of connected devices
and the environments in which they're deployed.
In recognition of a critical cybersecurity gap, NIST
released Draft NIST Interagency Report 8228, Considerations for
Managing IoT Cybersecurity and Privacy Risks, in September
2018. The purpose of this publication is to help organizations
better understand and manage the cybersecurity and privacy
risks associated with IoT devices throughout their life cycles.
The publication provides insights to inform organizations' risk
management processes.
NIST also published the NIST Interagency Report 8200, which
examines the current state of international cybersecurity
standards development by voluntary consensus standards bodies
for IoT. The report establishes a common understanding of IoT
components, systems, and applications for which standards could
be relevant.
In May 2018, the Departments of Commerce and Homeland
Security published the Report to the President on Enhancing the
Resilience of the Internet and Communications Ecosystem Against
Botnets and Other Automated Distributed Threats. The report
called for the Federal Government to clearly delineate
priorities for action, and a roadmap was later released to
identify tasks and timelines for completion. The roadmap calls
on NIST, in collaboration with stakeholders, to identify a core
set of cybersecurity capabilities which can also be used to
support sector-specific baselines, as needed, such as the
Federal Government or home consumers.
On February 4, 2019, NIST published a discussion draft to
gather feedback to help identify core IoT cybersecurity
capabilities that are most vital to IoT devices. NIST
identified a critical gap area in guidance on baselines for IoT
device cybersecurity. This paper presents one possible approach
to developing guidelines--baselines.
A critical NIST resource is NIST's National Vulnerability
Data base, or NVD. The NVD is the U.S. Government repository of
standards-based vulnerability management data. NIST receives
publicly available vulnerability information, standardizes it
for use in scanners and vulnerability identification and
mediation tools, and provides analysis and metrics for
vulnerability severity. IoT vulnerabilities are one type of
many items that are collected, scored, and communicated in the
NVD.
NIST has initiated a process to solicit, evaluate, and
standardize lightweight cryptographic algorithms that are
suitable for use in constrained environments where the
performance of current NIST cryptographic standards is not
acceptable. Today, NIST is evaluating 56 potential lightweight
encryption algorithms for use in these environments, and will
start down--to down-select this initial set this year.
NIST's National Cybersecurity Center of Excellence, the
NCCoE, is a collaborative hub, where industry organizations,
government agencies, and academic institutions work together to
address businesses' most pressing cybersecurity issues. This
public/private partnership enables the creation of practical
cybersecurity solutions for specific industries as well as for
broad cross-sector technology challenges. The NCCoE has many
published practice guides, ongoing projects exploring
solutions, and upcoming projects exploring new challenges and
building communities of interest that all directly support the
cybersecurity of the Internet of Things.
In the healthcare space, the NCCoE previously published
practice guides demonstrating an example solution for securing
wireless infusion pumps that apply security controls to the
pump's environment to create a defense-in-depth approach for
protecting infusion pumps and their surrounding systems against
various risk factors.
In addition to these published example solutions, the NCCoE
has three upcoming projects that address cybersecurity
challenges seen in many IoT devices and environments:
First, the Securing Picture Archive and Communication
System Project is currently exploring solutions that allow
healthcare delivery organizations to apply cybersecurity
controls to their imaging systems.
Second, the Securing Telehealth Remote Patient Monitoring
Ecosystem Project will explore cybersecurity controls to
protect remote-patient monitoring platforms, which commonly
incorporate home medical devices that are part of the IoT.
Third, the Consumer Home IoT Security Project will explore
how specific devices, platforms, and/or software may provide
additional cybersecurity to home IoT networks.
Thank you for the opportunity to present NIST's activities
on securing the Internet of Things. And I would be pleased to
answer any questions that you may have.
[The prepared statement of Dr. Romine follows:]
Prepared Statement of Charles H. Romine, Ph.D., Director, Information
Technology Laboratory, National Institute of Standards and Technology,
United States Department of Commerce
Chairman Sullivan, Ranking Member Markey, and Members of the
Subcommittee, I am Charles Romine, the Director of the Information
Technology Laboratory (ITL) at the Department of Commerce's National
Institute of Standards and Technology (NIST). Thank you for the
opportunity to testify today on Strengthening the Cybersecurity of the
Internet of Things (IoT), which is of critical importance to the
security and economic well-being of America.
The rapid proliferation of internet-connected devices and rise of
the IoT come with great anticipation. These newly connected devices
bring the promise of enhanced business efficiencies and increased
customer satisfaction. As the landscape of IoT continues to expand, it
is vital to foster cybersecurity for devices and data in the IoT
ecosystem, across industry sectors and at scale. Today I will discuss
NIST's role in cultivating trust in the security of the Internet of
Things.
NIST's Role in Cybersecurity
Home to five Nobel Prizes, with programs focused on national
priorities such as advanced manufacturing, the digital economy,
precision metrology, quantum science, and biosciences, NIST's mission
is to promote U.S. innovation and industrial competitiveness by
advancing measurement science, standards, and technology in ways that
enhance economic security and improve our quality of life.
In the area of cybersecurity, NIST has worked with Federal
agencies, industry, and academia since 1972, when it helped develop and
published the data encryption standard, which enabled efficiencies like
electronic banking that we all enjoy today. NIST's role is to provide
technologies, approved tools, data references and testing methods to
protect the Federal Government's information systems against threats to
the confidentiality, integrity, and availability of information and
services. This role was strengthened through the Computer Security Act
of 1987 (Public Law 100-235), broadened through the Federal Information
Security Management Act of 2002 (FISMA) (Public Law 107-347)\1\ and
reaffirmed in the Federal Information Security Modernization Act of
2014 (FISMA 2014) (Public Law 113-283). In addition, the Cybersecurity
Enhancement Act of 2014 (Public Law 113-274) authorizes NIST to
facilitate and support the development of voluntary, industry-led
cybersecurity standards and best practices for critical infrastructure.
---------------------------------------------------------------------------
\1\ FISMA was enacted as Title III of the E-Government Act of 2002
(Public Law 107-347).
---------------------------------------------------------------------------
NIST develops guidelines in an open, transparent, and collaborative
manner that enlists broad expertise from around the world. These
resources are used by Federal agencies as well as businesses of all
sizes, educational institutions, and state, local, and tribal
governments, because NIST's standards and guidelines are effective,
state-of-art and widely accepted. NIST disseminates its resources
through a variety of means that encourage the broad sharing of tools,
security reference data, information security standards, guidelines,
and practices, along with outreach to stakeholders, participation in
government and industry events, and online mechanisms.
The Internet of Things (IoT)
The Internet of Things is a rapidly evolving and expanding
collection of diverse technologies that interact with the physical
world. IoT devices are an outcome of combining the worlds of
information technology (IT) and operational technology (OT). With the
inexpensive rise of WIFI and other connective technology chip sets and
wireless technologies, we can connect almost anything to the Internet
and harness computing power far beyond our traditional personal
computer and laptop environments. Many IoT devices now take advantage
of the result of the convergence of cloud computing, mobile computing,
embedded systems, big data, low-price hardware, and other technological
advances.
IoT devices can use computing functionality, data storage, and
network connectivity for equipment that previously lacked them,
enabling new efficiencies and technological capabilities for the
equipment. IoT also adds the ability to analyze data about the physical
world and use the results to better inform decision making, alter the
physical environment, and anticipate future events. While the full
scope of IoT is not precisely defined, it is clearly vast. Every sector
has its own types of IoT devices, such as specialized hospital
equipment in the healthcare sector and smart road technologies in the
transportation sector, and there are many enterprise IoT devices that
every sector can use.
Also, versions of nearly every consumer electronics device, many of
which are also present in organizations' facilities, have become
connected IoT devices--kitchen appliances, thermostats, home security
cameras, door locks, light bulbs, and televisions. Many organizations
are not necessarily aware that they are using a large number of IoT
devices. It is important that organizations understand their use of IoT
because many IoT devices affect cybersecurity and privacy risks
differently than conventional IT devices do.
Many IoT devices interact with the physical world in ways
conventional IT devices usually do not. For example, IoT devices with
actuators have the ability to make changes to physical systems and thus
affect the physical world. Another important aspect of IoT device
interactions with the physical world is the operational requirements
devices must meet in various environments and use cases. Many IoT
devices must comply with stringent requirements for performance,
reliability, resilience, safety, and other objectives. These
requirements may be at odds with common cybersecurity and privacy
practices for conventional IT.
Once organizations are aware of their existing IoT usage and
possible future usage, they need to understand the IoT device risk
considerations and the challenges they may cause to mitigating
cybersecurity and privacy risks; adjust organizational policies and
processes to address the cybersecurity and privacy risk mitigation
challenges throughout the IoT device lifecycle; and implement updated
mitigation practices for the organization's IoT devices.
NIST's Cybersecurity for the Internet of Things Program
The growth of network-connected devices, systems, and services
comprising the IoT creates immense opportunities and benefits for our
society. However, to reap the great benefits of IoT and to minimize the
potentially significant risks, these network-connected devices need to
be secure and resilient. This depends in large part upon the timely
availability and widespread adoption of clear and effective
international cybersecurity standards.
Securing IoT devices is a major challenge, as manufactures tend to
focus on functionality, compatibility requirements, customer
convenience, and time-to-market rather than security. Meanwhile,
security threats are increasing. For example, Symantec reported a 600
percent increase in attacks against IoT devices from 2016 to 2017.\2\
---------------------------------------------------------------------------
\2\ https://www.symantec.com/content/dam/symantec/docs/reports/
istr-23-2018-en.pdf
---------------------------------------------------------------------------
The IoT ecosystem's nature brings new security considerations.
These considerations include--but are not limited to--constrained power
and processing; the ability to manage, update, and patch devices at
scale; and a diverse set of new applications across consumer and
industrial sectors.
NIST's Cybersecurity for the Internet of Things program supports
the development and application of standards, guidelines, and related
tools to improve the cybersecurity of connected devices and the
environments in which they are deployed. By collaborating with
stakeholders across government, industry, international bodies, and
academia, the program aims to cultivate trust and foster an environment
that enables innovation on a global scale.
Additionally, NIST is studying the usability factors affecting
cybersecurity and privacy perceptions of consumers of smart home
devices to understand how these factors influence buying decisions and
home use.
Considerations for Managing IoT Cybersecurity and Privacy
Risks: NIST Internal Report 8228 (NISTIR 8228)
In recognition of a critical cybersecurity gap, NIST released
draft NIST Internal Report 8228 \3\, Considerations for
Managing IoT Cybersecurity and Privacy Risks in September 2018.
The purpose of this publication is to help organizations better
understand and manage the cybersecurity and privacy risks
associated with IoT devices throughout their lifecycles. This
publication emphasizes what makes managing these risks
different for IoT devices than conventional IT devices, and it
omits all aspects of risk management that are largely the same
for IoT and conventional IT. The publication provides insights
to inform organizations' risk management processes. For some
IoT devices, additional types of risks, including safety,
reliability, and resiliency, need to be managed simultaneously
with cybersecurity and privacy risks because of the effects
addressing one type of risk can have on others. Only
cybersecurity and privacy risks are in scope for this
publication.
---------------------------------------------------------------------------
\3\ https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8228-
draft.pdf
Status of International Cybersecurity Standardization for
IoT: NIST Internal Report 8200 (NISTIR 8200)
NIST Interagency Report 8200 \4\, published in November 2018,
examines the current state of international cybersecurity
standards development by voluntary consensus standards bodies
for IoT. NISTIR 8200 is intended for use by the government and
the broader public. The report aims to inform and enable
policymakers, managers, and standards participants as they seek
timely development and use of such standards in IoT components,
systems, and related services.
---------------------------------------------------------------------------
\4\ https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf
NISTIR 8200 establishes a common understanding of IoT
components, systems and applications for which standards could
be relevant. Additionally, it provides a functional description
of IoT components, which are the basic building blocks of IoT
systems. To provide insights into the present state of IoT
cybersecurity standardization, the report describes five IoT
technology application areas. These areas are certainly not
exhaustive, but they are sufficiently representative to use in
analyzing the present state of IoT cybersecurity
---------------------------------------------------------------------------
standardization:
-- Connected vehicle IoT enables vehicles, roads, and other
infrastructure to communicate and share vital
transportation information.
-- Consumer IoT consists of IoT applications in residences as
well as wearable and mobile devices.
-- Health IoT processes data derived from sources such as
electronic health records and patient-generated health
data.
-- Smart building IoT includes energy usage monitoring systems,
physical access control security systems and lighting
control systems.
-- Smart manufacturing IoT enables enterprise-wide integration
of data, technology, advanced manufacturing capabilities,
and cloud and other services.
IoT cybersecurity objectives, risks, and threats are then
analyzed for IoT applications in general and for each of the
five illustrative IoT technology application areas.
Cybersecurity objectives for traditional IT systems generally
prioritize confidentiality, then integrity, and lastly
availability. IoT systems cross multiple sectors as well as use
cases within those sectors. Accordingly, cybersecurity
objectives may be prioritized very differently by various
parties, depending on the application. The increased ubiquity
of IoT components and systems heighten the risks they present.
Standards-based cybersecurity risk management will continue to
be a major factor in the trustworthiness of IoT applications.
Analysis of the application areas makes it clear that
cybersecurity for IoT is unique and requires tailoring existing
standards and creating new standards to address challenges, for
example: pop-up network connections, shared system components,
the ability to change physical aspects of the environment, and
related connections to safety.
NISTIR 8200 describes 12 cybersecurity core areas and provides
examples of relevant standards that while not exhaustive,
represent an extensive effort to identify presently relevant
IoT cybersecurity standards. The report's conclusions focus
upon the issue of standards gaps and the effective use of
existing standards.
Report to the President on Enhancing the Resilience of the
Internet and Communications Ecosystem Against Botnets and Other
Automated, Distributed Threats
In May 2018, the Departments of Commerce and Homeland Security
published the Report to the President on Enhancing the
Resilience of the Internet and Communications Ecosystem Against
Botnets and Other Automated, Distributed Threats. Known as the
Botnet Report, this report was developed in response to the May
11, 2018, Executive Order (EO) 13800, ``Strengthening the
Cybersecurity of Federal Networks and Critical
Infrastructure.'' \5\ As explained in the Botnet Report,
resilience against botnets will require a multi-pronged
approach, with many of the report's recommended actions being
mutually supportive by design. The report called for the
Federal Government to clearly delineate priorities for action,
and a road map \6\ was later released to identify tasks and
timelines for completion. Recognizing that there is no one-
size-fits-all, each of these recommendations and associated
actions and tasks works towards achieving the overall goal of a
more secure Internet ecosystem. The road map also helps to
sequence actions and tasks to achieve maximum benefit. As
explained in the road map, before assessment, labeling, or
awareness initiatives for IoT devices can begin, there first
needs to be the foundational task of describing a core
cybersecurity baseline, which is a set of cybersecurity
capabilities that are broadly applicable across many or all IoT
devices. The road map calls on NIST, in collaboration with
stakeholders, to identify a core set of cybersecurity
capabilities, which can also be used to support sector-specific
baselines as needed, such as the Federal Government or home
consumers. An identified core set of these capabilities would
encourage harmonization and indicate the minimum cybersecurity
capabilities any IoT device should support. A core baseline can
serve as a foundation upon which more detailed and rigorous
baselines for individual sectors and verticals can be
developed. For example, a connected medical device would likely
require more cybersecurity capabilities than an IoT light bulb.
---------------------------------------------------------------------------
\5\ Exec. Order No. 13800, 82 Fed. Reg. 22391, at 22394 (May 11,
2017): https://federal
register.gov/d/2017-10004
\6\ https://www.commerce.gov/sites/default/files/2018-11/
Botnet%20Road%20Map%2011291
8%20for%20posting_0.pdf
Considerations for a Core IoT Cybersecurity Capabilities
Baseline
On February 4, 2019, NIST published a discussion draft \7\ to
gather feedback to help identify core IoT cybersecurity
capabilities that are most vital for IoT devices. Through NIST
research, related stakeholder engagement, comments received
during the NISTIR 8228 public comment period, and, as described
above, in the Botnet Report, NIST identified a critical gap
area in guidance on baselines for IoT device cybersecurity. In
particular, there was interest in baselines focused on the pre-
market cybersecurity capabilities that could be built into the
products, as opposed to the cybersecurity controls that
consumers or organizations that use IoT in their enterprise
operations, could apply post-market.
---------------------------------------------------------------------------
\7\ https://www.nist.gov/sites/default/files/documents/2019/02/01/
final_core_iot_cybersecuri
ty_capabilities_baseline_considerations.pdf
This paper presents one possible approach to developing
baselines, which includes initial thoughts about what a core
baseline of cybersecurity capabilities that are important for
most IoT devices would look like. In this paper, ``baseline''
is used in the generic sense to refer to a set of foundational
requirements or recommendations. These could be used by IoT
device manufacturers to guide the cybersecurity capabilities
they implement in their products, as well as be used as a
starting point by communities of interest to develop baselines
---------------------------------------------------------------------------
appropriate to their community.
National Vulnerability Database
NIST's National Vulnerability Database (NVD)\8\, supported by
the Department of Homeland Security's Cybersecurity and
Infrastructure Security Agency, is the U.S. government
repository of standards-based vulnerability management data.
This data enables automation of vulnerability management,
security measurement, and compliance. NIST maintains the U.S.
National Vulnerability Database, which is the worldwide public
repository used to communicate vulnerabilities to the Nation.
NIST receives publicly available vulnerability information,
standardizes it for use in scanners and vulnerability
identification and mediation tools, and provides analysis and
metrics for vulnerability severity. IoT vulnerabilities are one
type of many items that are collected, scored and communicated
in the NVD.
---------------------------------------------------------------------------
\8\ https://nvd.nist.gov
Lightweight Cryptography
There are many IoT areas in which highly-constrained devices
are interconnected, typically communicating wirelessly with one
another, and working in concert to accomplish some task.
Security and privacy can be very important in all of these
areas. Because the majority of current cryptographic algorithms
were designed for desktop/server environments, many of these
algorithms do not fit into the constrained resources. If
current algorithms can be made to fit into the limited
resources of constrained environments, then their performance
may not be acceptable.
NIST has initiated a process to solicit, evaluate, and
standardize lightweight cryptographic algorithms \9\ that are
suitable for use in constrained environments where the
performance of current NIST cryptographic standards is not
acceptable. Today NIST is evaluating 56 potential lightweight
encryption algorithms for use in these environments. As part of
our plans for identifying the best, NIST will start to down
select this initial set this fiscal year.
---------------------------------------------------------------------------
\9\ https://csrc.nist.gov/Projects/Lightweight-Cryptography
---------------------------------------------------------------------------
National Cybersecurity Center of Excellence (NCCoE)
Established in 2012, NIST's National Cybersecurity Center of
Excellence (NCCoE) \10\ is a collaborative hub where industry
organizations, government agencies, and academic institutions work
together to address businesses' most pressing cybersecurity issues.
This public-private partnership enables the creation of practical
cybersecurity solutions for specific industries, as well as for broad,
cross-sector technology challenges.
---------------------------------------------------------------------------
\10\ https://www.nccoe.nist.gov/
---------------------------------------------------------------------------
Through consortia under Cooperative Research and Development
Agreements, including private sector collaborators--from Fortune 50
market leaders to smaller companies specializing in IT security--the
NCCoE applies standards and best practices to develop modular, easily
adaptable example cybersecurity solutions using commercially available
technology. Working with communities of interest, the NCCoE has
produced practical cybersecurity solutions that benefit large and small
businesses, and third-party service providers in diverse sectors
including healthcare, energy, financial services, retail, and
manufacturing.
The NCCoE has many published practice guides, on-going projects
exploring solutions, and upcoming projects exploring new challenges and
building communities of interest that all directly support the
cybersecurity of the Internet of Things. Recently, the Mitigating IoT-
Based Distributed Denial of Service (DDoS) project published practice
guides demonstrating how use of the Manufacturer Usage Description
specifications could be used to reduce the ability of IoT devices from
participating in a DDoS attack.
In the healthcare space, the NCCoE previously published practice
guides demonstrating an example solution for Securing Wireless Infusion
Pumps that applies security controls to the pump's environment to
create a defense-in-depth approach for protecting infusion pumps and
their surrounding systems against various risk factors. Additionally,
as many IoT devices rely on cloud services, the example solutions
identified in the NCCoE's Trusted Cloud practice guides help IoT
environments by providing assurance that business processes in the
cloud are running on trusted hardware and in trusted environments while
also increasing the protection of data as it processed and transmitted.
In addition to these published example solutions, the NCCoE has
several upcoming projects and ideas that may address cybersecurity
challenges seen in many IoT devices and environments. The Securing
Picture Archiving and Communication System project is currently
exploring solutions that allow healthcare delivery organizations to
apply cybersecurity controls to their imaging systems that provide
significant integrity, availability, and confidentiality assurances
since this data is about patients and used by doctors for determining
health condition, follow-on visits, patient care, and other actions.
Also, in the healthcare space, the Securing Telehealth Remote Patient
Monitoring Ecosystem will explore cybersecurity controls to protect
remote patient monitoring platforms, which commonly incorporate home
medical devices that are part of the IoT. Home use of IoT is not
limited to medical purposes. The NCCoE has initiated a Consumer Home
IoT Security project, which will explore how specific devices,
platforms, and/or software may provide additional cybersecurity to home
IoT networks.
Conclusion
Our economy is increasingly global, complex, and interconnected. It
is characterized by rapid advances in information technology. IT
products and services need to provide sufficient levels of
cybersecurity and resilience. The timely availability of international
cybersecurity standards is a dynamic and critical component for the
cybersecurity and resilience of all information and communications
systems and supporting infrastructures.
The Internet of Things is a rapidly evolving and expanding
collection of diverse technologies that interact with the physical
world. Many organizations are not necessarily aware of the large number
of IoT devices they are already using and how IoT devices may affect
cybersecurity and privacy risks differently than conventional
information technology devices do.
The NIST's Cybersecurity for the Internet of Things program
supports the development and application of standards, guidelines, and
related tools to improve the cybersecurity of connected devices and the
environments in which they are deployed. By collaborating with
stakeholders across government, industry, international bodies, and
academia, the program aims to cultivate trust and foster an environment
that enables innovation on a global scale.
NIST is proud of its role in establishing and improving the
comprehensive set of cybersecurity technical solutions, standards,
guidelines, and best practices, and of the robust collaborations
enjoyed with its Federal Government partners, private sector
collaborators, and international colleagues.
Thank you for the opportunity to present NIST's activities on
securing Internet of Things. I will be pleased to answer any questions
you may have.
______
Charles H. Romine
Charles Romine is Director of the Information Technology Laboratory
(ITL). ITL, one of seven research Laboratories within the National
Institute of Standards and Technology (NIST), has an annual budget of
$160 million, nearly 400 employees, and approximately 300 guest
researchers from industry, universities, and foreign laboratories.
Dr. Romine oversees a research program that cultivates trust in
information technology and metrology by developing and disseminating
standards, measurements, and testing for interoperability, security,
usability, and reliability of information systems, including
cybersecurity standards and guidelines for Federal agencies and U.S.
industry, supporting these and measurement science at NIST through
fundamental and applied research in computer science, mathematics, and
statistics. Through its efforts, ITL supports NIST's mission, to
promote U.S. innovation and industrial competitiveness by advancing
measurement science, standards, and technology in ways that enhance
economic security and improve our quality of life.
Within NIST's traditional role as the overseer of the National
Measurement System, ITL is conducting research addressing measurement
challenges in information technology as well as issues of information
and software quality, integrity, and usability. ITL is also charged
with leading the Nation in using existing and emerging IT to help meet
national priorities, including developing cybersecurity standards,
guidelines, and associated methods and techniques, cloud computing,
electronic voting, smart grid, homeland security applications, and
health information technology.
Education:
Ph.D. in Applied Mathematics from the University of Virginia.
B.A. in Mathematics from the University of Virginia.
Senator Markey [presiding]. Thank you, sir, very much.
Next, we're going to hear from Matthew Eggers, Vice
President of Cybersecurity Policy, United States Chamber of
Commerce.
Welcome, sir.
STATEMENT OF MATTHEW J. EGGERS, VICE PRESIDENT, CYBERSECURITY
POLICY, U.S. CHAMBER OF COMMERCE
Mr. Eggers. Thank you, sir. Good afternoon, Chairman
Sullivan, Ranking Member Markey, and other distinguished
members of the Security Subcommittee. My name is Matthew
Eggers, and I'm the Vice President of Cybersecurity Policy with
the U.S. Chamber of Commerce. On behalf of the Chamber, I
welcome the opportunity to testify before the Subcommittee
regarding enhancing the cybersecurity and resilience of the
Internet of Things, IoT.
The Chamber welcomes the Subcommittee's dedication to
examining pressing cyber matters. The Chamber is optimistic
about the future of the IoT, including consumer and industrial
devices. Many observers predict that the connectivity of the
IoT will bring positive benefits through enhanced efficiency
and productivity across the economy. Managing cyber risk across
the Internet and communications ecosystem is central to growing
the IoT and increasing businesses' gains.
The business community, NIST, and other stakeholders are
developing a core cybersecurity capabilities baseline for IoT
devices. A top Chamber priority for industry is to achieve
consensus on the technical criteria that support the IoT cyber
baseline. The Chamber wants device makers, service providers,
and buyers to win, from the development of state-of-the-art
components and sound risk-management practices. The Chamber
believes that IoT cyber efforts will be most effective if they
reflect global standards and industry-driven practices. A
fragmented cybersecurity environment, both at home and
overseas, creates uncertainty for industry and splinters the
resources that businesses devote to device development,
production, and assessments. The Chamber and other
organizations, including NIST, have been actively meeting with
foreign governments to urge them to embrace a core IoT security
capabilities baseline.
It's worth highlighting that, in February, the Chamber and
some 20 organizations sent a letter to the White House to urge
the administration and Congress to support NIST's partnership
with industry to strengthen IoT cybersecurity. The Chamber
stressed three points to White House officials:
First, this initiative should advance NIST's ongoing IoT
cyberwork with industry, in keeping with efforts such as NIST's
draft considerations for a core IoT cybersecurity capabilities
baseline and the administration's botnet roadmap.
Second, the undertaking should be elevated, policywise, to
better address a number of IoT cyber proposals that are being
developed at home and abroad. The Chamber wants this effort to
capture the imagination of public- and private-sector
stakeholders--in essence, to serve as an IoT cyber rallying
point comparable to what the popular cybersecurity framework
does for managing enterprise risk and threats. Congress should
boost NIST's funding, especially given the array of significant
tasks that it undertakes with the private sector on
cybersecurity and resilience.
Third, the botnet roadmap calls for establishing a robust
market for consumer and industrial devices. Stakeholders are
trying to solve a chicken-and-egg-strategy problem.
Key next steps include advancing a market that generates
both security and value for buyers and sellers. Market and/or
policy incentives may be needed to jumpstart this circle.
Thank you for giving me a chance to convey the Chamber's
views. I'm happy to answer any questions.
[The prepared statement of Mr. Eggers follows:]
Prepared Statement of Matthew J. Eggers, Vice President,
Cybersecurity Policy, U.S. Chamber of Commerce
The U.S. Chamber of Commerce is the world's largest business
federation representing the interests of more than 3 million businesses
of all sizes, sectors, and regions, as well as state and local chambers
and industry associations. The Chamber is dedicated to promoting,
protecting, and defending America's free enterprise system.
More than 96 percent of Chamber member companies have fewer than
100 employees, and many of the Nation's largest companies are active
members. We are therefore cognizant not only of the challenges facing
smaller businesses but also those facing the business community at
large.
Besides representing a cross-section of the American business
community with respect to the number of employees, major
classifications of American business--for example, manufacturing,
retailing, services, construction, wholesalers, and finance--are
represented. The Chamber has membership in all 50 states.
The Chamber's international reach is substantial as well. We
believe that global interdependence provides opportunities, not
threats. In addition to the American Chambers of Commerce abroad, an
increasing number of our members engage in the export and import of
both goods and services and have ongoing investment activities. The
Chamber favors strengthened international competitiveness and opposes
artificial U.S. and foreign barriers to international business.
______
Summary
Industry and National Institute of Standards and Technology
(NIST) leadership. The business community, NIST, and other
stakeholders are developing a core cybersecurity capabilities
baseline for Internet of Things (IoT) devices. A top U.S.
Chamber of Commerce priority for industry is to achieve
consensus on the technical criteria that support the IoT cyber
baseline.
A win-win security cybersecurity market. The Chamber wants
device makers, service providers, and buyers to gain from the
development of state-of-the-art IoT components and sound risk
management practices.
Global, industry-driven standards and practices. The Chamber
believes that IoT cyber efforts will be most effective if they
reflect global standards and industry-driven practices. A
fragmented global cybersecurity environment creates uncertainty
for industry and splinters the resources that businesses devote
to device development, production, and assessments.
Good afternoon, Chairman Sullivan, Ranking Member Markey, and other
distinguished members of the Security Subcommittee (subcommittee). My
name is Matthew Eggers, and I am the vice president of cybersecurity
policy with the U.S. Chamber of Commerce's Cyber, Intelligence, and
Security Division (CISD). On behalf of the Chamber, I welcome the
opportunity to testify before the subcommittee regarding enhancing the
cybersecurity and resilience of the Internet of Things (IoT). The
Chamber welcomes the subcommittee's dedication to examining pressing
cyber matters.
The Chamber's CISD was established in 2003 to develop and implement
the Chamber's homeland and national security policies. The division's
Cybersecurity Working Group (CWG), which I lead, identifies current and
emerging issues, crafts policies and positions, and provides analysis
and direct advocacy to government and business leaders.
In addition to the CWG, I want to highlight two other groups within
the Chamber that address IoT--the Chamber Technology Engagement Center
(C_TEC) and Project Security, which handles our international cyber
initiatives. C_TEC is at the forefront of advancing IoT deployment and
innovation in the digital economy. Its initiatives include working
groups on autonomous vehicles, 5G, and unmanned aerial vehicles.\1\
---------------------------------------------------------------------------
\1\ The Chamber Technology Engagement Center (C_TEC).
https://www.uschamber.com/ctec
---------------------------------------------------------------------------
Project Security is a partnership between CISD and the Center for
Global Regulatory Cooperation (GRC), which is housed in the Chamber's
International Division. Project Security works with foreign governments
and multilateral forums to promote international alignment to flexible,
globally accepted risk-based approaches to cybersecurity.
Project Security has engaged more than 30 foreign governments as
they create and implement their respective cybersecurity programs. This
engagement includes the European Commission (EC) and European Union
(EU) national authorities regarding the Cybersecurity Act. The act
establishes EU-wide cyber certification schemes for information and
communications technology (ICT) products, services, and processes,
including IoT devices.\2\ Project Security leaders meet regularly with
EU officials to negotiate constructive outcomes on IoT cybersecurity.
It is also works with other international stakeholders, such as Japan,
Singapore, Australia, and the U.K., to fashion consensus and industry-
driven policy approaches to IoT security.\3\
---------------------------------------------------------------------------
\2\ In March 2019, the European Parliament approved a cybersecurity
regulation commonly known as the Cybersecurity Act, which was initiated
approximately two years ago.
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//
NONSGML+TA+P8-TA-2019-0151+0+DOC+PDF+V0//EN
In August 2017, the Chamber and six European organizations sent a
letter to the European Commission regarding ``measures on cybersecurity
standards, certification and labelling to make ICT-based systems,
including connected objects.'' The industry groups argued that Europe,
like the U.S., can expect to benefit from economic growth brought about
by the expanding IoT as long as policymakers cultivate a digital
environment that avoids misguided regulations and supports pioneering
businesses.
www.uschamber.com/sites/default/files/
iot.cybersecurity.coalition._ec.letter.pdf
\3\ See Chamber and Wiley Rein LLP paper The IoT Revolution and Our
Digital Security: Principles for IoT Security, September 2017.
https://www.uschamber.com/IoT-security
---------------------------------------------------------------------------
I recognize that the subcommittee is considering legislation that
addresses IoT cybersecurity. However, I will confine my written
statement to (1) highlighting some key problems that face the IoT cyber
market, (2) discussing industry and NIST collaboration toward a core
IoT cybersecurity baseline, and (3) soliciting the subcommittee's
assistance and counsel in elevating the fruits of this partnership at
home and overseas.
Framing Key IoT Cybersecurity Challenges
It is important to frame some of the central challenges that impact
the IoT cyber marketplace before discussing solutions.\4\ In speaking
at length with stakeholders over the last two years, the Chamber has
identified several challenges associated with IoT cybersecurity:
---------------------------------------------------------------------------
\4\ Readers of this testimony are encouraged to listen to ``The
Right Way to Solve Complex Business Problems,'' Harvard Business
Review's (HBR's) IdeaCast, December 4, 2018.
https://hbr.org/ideacast/2018/12/the-right-way-to-solve-complex-
business-problems
Security risk. IoT objects are potentially vulnerable
targets for hackers. As the number of IoT devices grows, so
will the potential risk of successful intrusions and increases
in costs from those incidents.\5\ Strong IoT security should be
a win-win proposition for the makers and purchasers of robust
devices, as well as U.S. economic and national security.\6\
---------------------------------------------------------------------------
\5\ Eric A. Fischer, The Internet of Things: Frequently Asked
Questions, Congressional Research Service (CRS), October 13, 2015, pg.
14.
https://fas.org/sgp/crs/misc/R44227.pdf
\6\ Some 50 billion devices will be connected to the Internet by
2020. According to the Chamber's estimates, the IoT could add roughly
$15 trillion to global GDP over the next 20 years. See the Chamber's
October 3, 2017, testimony before the House Oversight and Government
Reform Committee Information Technology Subcommittee.
https://docs.house.gov/meetings/GO/GO25/20171003/106460/HHRG-115-
GO25-Wstate-EggersM-20171003.pdf
Technical standards. Industry and government share an
interest in fostering stronger IoT security and resilience. The
business community and NIST are working diligently to deliver a
core capabilities baseline for IoT devices that increases
security, is dynamic in the face of threats, and is scalable
internationally. A top Chamber priority will be for industry to
achieve consensus on the technical criteria that support the
IoT cyber baseline, including for consumer and industrial
---------------------------------------------------------------------------
devices.
Public policy mandates. The Chamber is concerned about
policies at home and abroad that require specific, top-down
approaches to security. Such mandates are unlikely to keep up
with malicious actors or align with international best
practices--outcomes that the Chamber presses the public and
private sectors to pursue.\7\
---------------------------------------------------------------------------
\7\ The Chamber would welcome clear steps by government officials
to elevate their defense of industry and the IoT ecosystem.
Buyer decision making. A number of IoT cyber advocates take
a ``build it and they will come'' approach to IoT cyber, which
tracks with traditional, rational notions of economics. Yet it
is unclear if buyers--including individuals, households,
businesses, and public institutions--will (1) pay for the cost
of additional security features or (2) be able to identify a
strong device without a nonregulatory tool to help them make
educated choices.\8\
---------------------------------------------------------------------------
\8\ John Beshears and Francesco Gina, ``Leaders as Decision
Architects,'' HBR, May 2015.
https://hbr.org/2015/05/leaders-as-decision-architects
Most people's intuition is to buy the least expensive device even
if the device's security is not strong--and possibly contrary to their
own best interests. The Chamber seeks to better understand how people
make real-world choices regarding purchasing IoT technology.\9\ The
Chamber wants to get strong devices into the networks of businesses and
the hands of consumers. Among other things, strong IoT will yield
positive externalities.\10\
---------------------------------------------------------------------------
\9\ Richard H. Thaler, Misbehaving: The Making of Behavioral
Economics (W.W. Norton and Company: New York, 2015).
\10\ On positive externalities, see N. Gregory Mankiw, Principles
of Economics, Third Edition (Thomson: U.S., 2004), pg. 207.
---------------------------------------------------------------------------
Industry and NIST Are Developing a Core IoT Cybersecurity Baseline
On February 7, 2019, the Chamber and 23 organizations sent a letter
to the White House to urge the administration and Congress to support
NIST's partnership with industry to strengthen IoT cybersecurity. The
letter called on policymakers to support NIST in convening a robust
effort on IoT security. Such an initiative will help stakeholders
identify a flexible, performance-based, and cost-effective approach
that can be voluntarily used by producers, sellers, and users of IoT
devices to help them manage cyber risk and threats. The Chamber
stressed three points in communicating with White House officials:
Complement existing work. This initiative should advance
NIST's ongoing IoT cyber work with industry, in keeping with
NIST's February 2019 draft Considerations for a Core IoT
Cybersecurity Capabilities Baseline; the September 2018 draft
NIST Interagency Report (NISTIR) 8228, Considerations for
Managing IoT Cybersecurity and Privacy Risks; and the
administration's November 2018 Botnet Road Map.\11\
---------------------------------------------------------------------------
\11\ NIST's Cybersecurity for the Internet of Things (IoT) Program.
https://www.nist.gov/programs-projects/nist-cybersecurity-iot-
program
The Council to Secure the Digital Economy (CSDE) and the Consumer
Technology Association (CTA) are coordinating the development of an
industry-led consensus--which its participants call the CSDE C2 (short
for ``convening the conveners'')--regarding cybersecurity capabilities
that will be common to new IoT devices. The CSDE C2 project will inform
NIST's work, and vice versa, on identifying a core set of cybersecurity
capabilities that could be a baseline for IoT devices.
Katerina Megas, ``Let's talk about IoT device security,'' the
National Institute of Standards and Technology (NIST), February 4,
2019.
https://www.nist.gov/blogs/i-think-therefore-iam/lets-talk-about-
iot-device-security
https://www.nist.gov/sites/default/files/documents/2019/02/01/
final_core_iot_cybersecurity
_capabilities_baseline_considerations.pdf
On February 7, 2019, 24 associations sent a letter to the White
House to urge the administration and Congress to support NIST's efforts
alongside industry to bolster IoT security.
https://www.uschamber.com/sites/default/files/2-7-19_multi-
association_wh_letter_iot_cyber
security_final.pdf
Draft NISTIR 8228, Considerations for Managing Internet of Things
(IoT) Cybersecurity and Privacy Risks, September 24, 2018. The Chamber
commented on NISTIR 8228 on October 24, 2018.
https://www.uschamber.com/sites/default/files/10-24-
18_u.s._chamber_comment_letter_draft
_nistir_8228_final.pdf
The Department of Commerce and the Department of Homeland Security
(DHS), Road Map: Building a More Resilient Internet (aka the Botnet
Road Map), November 29, 2018.
https://www.ntia.doc.gov/blog/2018/road-map-building-more-
resilient-internet
Elevate U.S. policy. The undertaking should be elevated
policywise to better compete with a number of IoT cyber
proposals that are being developed at home and abroad. The
Chamber wants this expedited effort to capture the imagination
of public-and private-sector stakeholders--in essence, to serve
as an IoT cyber rallying point--comparable to what the popular
Cybersecurity Framework does for managing enterprise risks.
Congress should boost the agency's funding, especially given
the array of significant tasks that it undertakes with the
---------------------------------------------------------------------------
private sector on cybersecurity and resilience.
Foster a market. The Botnet Road Map calls for establishing
robust markets for consumer and industrial devices. The Chamber
wants device makers, service providers, and consumers to profit
from the business community leading the development of state-
of-the-art IoT components and practices. Stakeholders are
trying to solve a chicken-and-egg strategy problem. Key next
steps include advancing a market that generates both security
and value for buyers and sellers. Market and/or policy
incentives may be needed to jump-start this circle.\12\
---------------------------------------------------------------------------
\12\ This graphic was inspired, in part, by the Strategic Toolkits
webpage, ``Chicken and Egg Strategy Problems.''
http://strategictoolkits.com/strategic-concepts/chicken-and-egg-
strategy-problems
---------------------------------------------------------------------------
IoT Cybersecurity Needs to Be Rooted in Global, Industry-Driven
Standards and Practices
In 2015, the Chamber supported NISTIR 8074, Report on Strategic
U.S. Government Engagement in International Standardization to Achieve
U.S. Objectives for Cybersecurity, which served as a precursor to the
November 2018 NISTIR 8200, Status of International Cybersecurity
Standardization for Internet of Things (IoT).<\13\ The Chamber contends
that IoT cyber efforts will be most effective if they reflect global
standards and industry-driven practices, including the joint industry-
NIST core IoT security baseline. We urge Congress to leverage the
following principles when crafting IoT security policy:
---------------------------------------------------------------------------
\13\ See April 18, 2018, Chamber letter to NIST on draft NISTIR
8200, Status of International Cybersecurity Standardization for
Internet of Things (IoT).
https://www.nist.gov/sites/default/files/documents/2018/04/19/4-18-
18_uscc_letter_nist_
draft_nistir_8200_final.pdf
Support U.S. leadership in international IoT cyber forums.
Standards, guidance, and best practices relevant to
cybersecurity are typically led by the private sector and
adopted on a voluntary basis; they are optimal when developed
and recognized globally. Such approaches avoid burdening
multinational enterprises with the requirements of multiple,
---------------------------------------------------------------------------
and often conflicting, jurisdictions.
The Chamber appreciates that NIST has been actively meeting
with foreign governments to urge them to embrace a core IoT
security capabilities baseline. The Chamber urges the
administration to work with international partners and believes
that these discussions should be stakeholder driven and occur
routinely.
Reduce regulatory fragmentation. There is market demand for
a common IoT cyber security baseline--due to a growing number
of often disparate policy proposals and requirements--to chart
a path for businesses and standards bodies to follow. A
fragmented global cybersecurity environment creates much
uncertainty for device makers and buyers and splinters the
resources that businesses devote to sound device development,
production, and assessments.
Spotlight global alignment with an industry-led baseline.
The Chamber believes that policymakers in the U.S. and abroad
should align their IoT security and resilience programs with an
industry-led IoT cyber capabilities baseline. Achieving
consensus between the business community and NIST will
streamline and strengthen government-industry collaboration on
IoT security and enable the U.S. to champion more effectively a
core IoT cyber baseline worldwide. This method should also
ensure stakeholders' cybersecurity concerns are adequately
addressed and that IoT security requirements do not become an
unnecessary barrier to trade.
Thank you for giving me a chance to convey the Chamber's views. I
am happy to answer any questions.
Senator Markey. Thank you, Mr. Eggers, very much.
And next we're going to hear from Robert Mayer, Senior Vice
President for Cybersecurity, USTelecom--The Broadband
Association
STATEMENT OF ROBERT MAYER,
SENIOR VICE PRESIDENT FOR CYBERSECURITY,
USTELECOM--THE BROADBAND ASSOCIATION
Mr. Mayer. Chairman Sullivan, Ranking Member Markey, and
other distinguished members of the Subcommittee, thank you for
the opportunity to testify at today's hearing on the
cybersecurity of the Internet of Things.
My name is Robert Mayer, and I am the Senior Vice President
for Cybersecurity at USTelecom--The Broadband Association. Our
members are committed to safeguarding digital security as an
essential driver of innovation, economic growth, public safety,
and our national security. I also have the privilege of serving
as the Chair of the Communications Sector Coordinating Council,
which represents the broadcast, cable, satellite, wireless, and
wireline industries, and coordinates all public/private
partnerships in the security arena across the government
landscape. And I was recently appointed to Co-chair the
Department of Homeland Security's Information, Communication,
and Technology Supply Chain Task Force.
There is little doubt that the Internet of Things holds
tremendous power and promise for our modern connected society.
We already are seeing those benefits, from energy management to
manufacturing, healthcare to transportation. But, with 30
billion connected devices expected within a short--few short
years, securing IoT is a chief cybersecurity challenge.
Manufacturers, service providers, and developers are taking
critical steps to improve the security of their products and
the infrastructure supporting the digital ecosystem. USTelecom
members, for example, use botnet detection and filtering
techniques, provide IoT-managed security services, and
collaborate with security researchers and law enforcement to
limit the destructive potential of IoT botnets. AT&T and
Ericsson, for example, recently launched an IoT security
testing program aimed at improving device security.
Acting on our commitment to ecosystem-wide solutions,
USTelecom established the Council to Secure the Digital Economy
in 2018, created in partnership with the Information Technology
Industry Council, CSDE is led by 12 global ICT companies whose
shared mission is identifying sophisticated and evolving
cyberthreats and the security practices that, if widely
adopted, would contribute to the resiliency and sustainability
of the global digital ecosystem.
In November 2018, the CSDE and our strategic partner, the
Consumer Technology Association, published the International
Anti-Botnet Guide, which is included with this testimony. The
Guide discusses problems inherent to IoT security and contains
sets of baseline practices and advanced capabilities that are
directly relevant to securing connected devices and the
enabling infrastructure.
Why are we laser-focused on IoT security vulnerabilities
and the potential harm to consumers, businesses, and
government? Because we have seen cameras used to invade their
owners' privacy, confidential personal and business information
stolen through seemingly innocuous IoT devices, such as
thermometers, deeply personal objects, from children's toys to
baby heart monitors being vulnerable to hackers, and hackers
manipulating temperature in smart homes and whole buildings
that have lost heat in the middle of winter. Concerns of this
kind can have a massive influence on public perception of
emerging technologies and, if not addressed in a meaningful
way, threaten digital trust, causing unpredictable levels of
disruption and economic harm.
Government has a vital role to play in supporting industry
initiatives and the evolving standards and practices necessary
to combat these growing threats. It is our view that voluntary,
prioritized, flexible, and cost-effective solutions embodied in
the NIST cybersecurity framework can be effectively applied in
the IoT space.
We are also mindful that states are pursuing their own
versions of cyber legislation. Our concern with this approach
is that a patchwork of State compliance requirements will add
complexity, confusion, and cost to an already challenging
global landscape. The very nature of this challenge requires a
highly adaptive and evolving response in as close to real time
as possible. That level of innovation and operational
implementation can only be realized when policies are carefully
aligned with market dynamics.
Thank you. And I look forward to answering your questions.
[The prepared statement of Mr. Mayer follows:]
Prepared Statement of Robert Mayer, Senior Vice-President
Cybersecurity,
USTelecom--The Broadband AssociationUSTelecom
Chairman Sullivan, Ranking Member Markey, and other distinguished
Members of the Subcommittee, thank you for the opportunity to testify
at today's hearing on the cybersecurity of the Internet of Things. My
name is Robert Mayer and I am the Senior Vice-President of
Cybersecurity at USTelecom, the trade association that represents a
diverse membership that ranges from large publicly traded global
communications providers to small companies and cooperatives all of
whom are committed to the security of the digital ecosystem as an
essential driver of innovation, economic growth, public safety, our
national security and other societal benefits.
The Internet of Things (IoT), a broad term referring to many
categories of devices that connect to the internet, holds the promise
of great benefits for modern society, both as a consumer-driven
economic force that improves quality of life and as powerful sets of
tools designed to increase efficiencies in measurable ways across
businesses, governments, and non-profits. Today, we already see those
benefits in diverse areas such as energy management, manufacturing,
health care, and transportation to name a few. Yet, with 30 billion
connected devices expected within a few short years and further
exponential growth a virtual certainty, securing the IoT is among the
chief cybersecurity challenges we face today.
There is growing evidence of stakeholders taking actions to improve
the security of their products and the infrastructure supporting the
digital ecosystem. For example, USTelecom members use botnet detection
and filtering techniques; provide IoT managed security services; and
collaborate with security researchers and law enforcement to limit the
destructive potential of IoT botnets. AT&T and Ericsson recently
launched an IoT security testing program aimed at improving device
security.
Networks at every level are evolving to accommodate exponential
growth in traffic associated with billions of new end-point devices.
The introduction of 5G and the associated architecture will allow
industry to incorporate security measures into more layers than in
previous generations. ISPs, security vendors and other infrastructure
providers are developing improved security offerings, such as firewalls
that more intelligently identify authorized users and attackers.
Commitment to ecosystem-wide solutions led to establishment by
USTelecom in 2018 of the Council to Secure the Digital Economy (CSDE).
Created in partnership with ITI, CSDE is led by 12 global ICT companies
whose mission is to identify sophisticated and evolving cyber threats
and the security practices that, if widely adopted, would materially
contribute to the resiliency and sustainability of the global digital
economy.
In November 2018, the CSDE and our strategic partner the Consumer
Technology Association published the International Anti-Botnet Guide
which is included with this testimony. The Guide discusses the problems
inherent to IoT security and contains sets of baseline practices and
advanced capabilities that are directly relevant to securing connected
devices and the enabling infrastructure.
We are doing all of this because we have seen ample evidence of IoT
security vulnerabilities and the potential harm to individuals,
enterprises, government institutions and society writ large. We have
seen that cameras can be used to invade their owners'
privacy.i Confidential personal and business information can
be stolen through seemingly innocuous IoT devices, such as
thermometers.ii Deeply personal objects, from children's
toys iii to baby heart monitors iv have been
shown to be vulnerable to hackers. Vehicles can potentially be
manipulated to cause deadly traffic accidents.v Hackers can
manipulate temperature in smart homes,vi and whole buildings
have lost heat in the middle of winter.vii Concerns of this
kind can have a massive influence on public perception of technologies,
and if not addressed in meaningful ways, trust in the digital ecosystem
will erode, causing unpredictable levels of disruption and economic
harm.
---------------------------------------------------------------------------
\i\ Ms. Smith, Hijacked Nest Devices Highlight the Insecurity of
the IoT, CSO (Feb. 4, 2019), https://www.csoonline.com/article/3338136/
hijacked-nest-devices-highlight-the-insecurity-of-the
-iot.html.
\ii\ Oscar Williams-Grut, Hackers Once Stole a Casino's High-roller
Database Through a Thermometer in the Lobby Fish Tank, Business Insider
(Apr. 15, 2018), https://www.businessinsi
der.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-
lobby-fish-tank-2018-4.
\iii\ Glenn McDonald, Strange and Scary IoT Hacks: Child's Plays,
Network World (July 3, 2018), https://www.networkworld.com/article/
3285968/strange-and-scary-iot-hacks.html#slide
3; Glenn McDonald, Strange and Scary IoT Hacks: Toy Stories, Network
World (July 3, 2018), https://www.networkworld.com/article/3285968/
strange-and-scary-iot-hacks.html#slide4.
\iv\ Iain Thomson, Wi-Fi Baby Heart Monitor may Have the Worst IoT
Security of 2016, The Register, (Oct. 13, 2016), https://
www.theregister.co.uk/2016/10/13/possibly_worst_iot_secu
rity_failure_yet.
\v\ Andrew Meola, Consumers Don't Care if Their Connected Car can
Get Hacked--Here's Why That's a Problem, Business Insider (Mar. 7,
2016), https://www.businessinsider.com/smart-car-hacking-major-problem-
for-iot-internet-of-things-2016-3 (``Hackers could potentially crash a
compromised car, but they are more likely to exploit IoT devices to
gain entry to corporate and government networks and databases.'').
\vi\ Luke Denne et al., We Hired Ethical Hackers to Hack a Family's
Smart Home--Here's How It Turned Out, CBC News (Sept. 28, 2018),
https://www.cbc.ca/news/technology/smart-home-hack-marketplace-
1.4837963.
\vii\ Lee Mathews, Hackers Use DDoS Attack To Cut Heat To
Apartment, Forbes (Nov. 7, 2016), https://www.forbes.com/sites/
leemathews/2016/11/07/ddos-attack-leaves-finnish-apartments-without-
heat/#2b7483fb1a09.
---------------------------------------------------------------------------
Government has a vital role in supporting industry initiatives and
the evolving standards and practices that are necessary to combat this
growing threat. It is our view that voluntary, prioritized, flexible
and cost-effective solutions embodied in the NIST Cybersecurity
Framework can be effectively applied in the IoT space. We are also
mindful that many states are pursuing legislation in this area and we
are concerned that a patchwork quilt of state compliance requirements
will add complexity, confusion and costs to an already challenging
global landscape. In the digital ecosystem, no jurisdiction exists
totally independent of others. Therefore, recommendations aimed at
setting standards in one part of the ecosystem, while ignoring the
others, are misjudging the scope and nature of the IoT security
challenge.
In closing, we are strongly supportive of U.S. government and
industry collaboration on IoT security at the Federal level, through
the highly successful public-private partnership model. The very nature
of this challenge requires a highly adaptive and evolving response in
as close to real-time as possible. That level of innovation and
operational implementation can only be realized when policies are
carefully aligned with market dynamics.
I look forward to answering your questions.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Senator Fischer [presiding]. Thank you, Mr. Mayer.
Next we have Mr. Michael Bergman, Vice President,
Technology and Standards, Consumer Technology Association.
Welcome, sir.
STATEMENT OF MICHAEL BERGMAN, VICE PRESIDENT,
TECHNOLOGY AND STANDARDS,
CONSUMER TECHNOLOGY ASSOCIATION
Mr. Bergman. Thank you, Senator. Thank you, Chairman
Sullivan, Ranking Member Markey, and members of the
Subcommittee, for inviting me to testify today on strengthening
the security of the Internet of Things. My name is Mike
Bergman, and I serve as Vice President of Technology and
Standards for the Consumer Technology Association.
CTA represents more than 2,200 member companies who
comprise the $398 billion U.S. consumer technology industry. We
also own and produce CES, the world's gathering place for all
who thrive on the business of consumer technologies. CTA also
has a long history as a technical standards body. Our
Technology and Standards Program is accredited by ANSI and
includes more than 70 committees and over 1,000 participants.
In my role at CTA, I am deeply engaged in collaborative
efforts with government and industry to advance IoT security.
These efforts with the government include NTIA's work on
vulnerability management and softer transparency, NIST's work
to develop IoT baseline security capabilities, and other
aspects of the Commerce Department's and DHS's joint Roadmap
Toward Resilience Against Botnets.
The proliferation of smart sensors and devices in our homes
and cities, commonly referred to as the Internet of Things,
will drive tremendous consumer and public benefits over the
coming years. It also presents new challenges, including with
regard to cybersecurity.
CTA has seen the cybersecurity landscape change over the
last few years. A critical development is that powerful market
incentives are emerging. Retailers are increasingly concerned
about protecting their customer. They know consumers want to
feel comfortable buying IoT product, and they want a clear and
uniform way to have the resulting cybersecurity discussion with
their suppliers.
In response, CTA has developed a number of consensus-based
standards and tools which help manufacturers build more secure
devices. Our tools allow manufacturers to assess their internal
processes for building security into their products, and they
help professionals ensure the devices are installed with the
appropriate security-conscious settings.
CTA has also formed important partnerships to address IoT
security. In May 2018, we announced that we were working with
the Council to Secure the Digital Economy to develop an Anti-
Botnet Guide. We released this guide in November of last year.
The Guide offers companies across the digital ecosystem a set
of baseline tools, practices, and processes that they can adopt
to protect against the threat of botnets and other automated
distributed attacks that use IoT devices.
Last month, through the CSDE, CTA also convened 18 major
cybersecurity and technology organizations, industry
associations, and standards bodies in a process we call
``Convene the Conveners,'' or C2, for short. C2 is an
unprecedented industry effort to identify consensus baseline
security capabilities for the rapidly growing IoT marketplace.
It aims to address four challenges:
First, promoting global harmonization of security
specifications and requirements in the IoT marketplace to
prevent fragmentation.
Second, harnessing market forces that are increasingly
demanding secure devices and systems.
Third, developing a coherent common language on these
issues that is useful to various policy, technical, and retail
audiences.
And finally, influencing policy development here and
abroad.
Through this effort and other avenues, we and many of our
member companies are collaborating closely with leaders at
NIST, NTIA, DHS, and other government agencies.
CTA believes the U.S. Government should continue to play
its important and sometimes indispensable role in facilitating
activities among different ecosystem stakeholders. NIST's work
related to cybersecurity is an example of the productive role
government can play in these efforts.
We commend the Senate Commerce Committee for its
foundational role in promoting the NIST cybersecurity framework
and supporting the framework's development, including through
the Cybersecurity Enhancement Act of 2014.
CTA believes the Committee should continue to support this
approach for IoT security. Solutions must be built upon three
pillars:
First, technical consensus on IoT security across the
global ecosystem.
Second, voluntary standards and best practices.
And finally, standards that scale.
Market-driven security solutions promoted by government
leaders and agencies can best address the global IoT security
challenge at scale, and it is critical for U.S. industry and
the U.S. Government to speak with one voice. We hope the
Committee will continue supporting the groundbreaking efforts
underway at NIST, NTIA, DHS, and across the industry. These
efforts are providing formal processes and structures to lead
the global IoT to a secure future.
Thank you. And I'm happy to answer any questions you may
have.
[The prepared statement of Mr. Bergman follows:]
Prepared Statement of Mike Bergman, Vice President, Technology and
Standards, Consumer Technology Association
I. Introduction
Thank you Chairman Sullivan, Ranking Member Markey and members of
the Subcommittee for inviting me to testify today on strengthening the
security of the Internet of Things (IoT). I am Mike Bergman, Vice
President of Technology and Standards, of the Consumer Technology
Association (CTA)TM.\1\
---------------------------------------------------------------------------
\1\ Consumer Technology Association (CTA) TM is the
trade association representing the $398 billion U.S. consumer
technology industry, which supports more than 18 million U.S. jobs.
More than 2,200 companies--80 percent are small businesses and
startups; others are among the world's best-known brands--enjoy the
benefits of CTA membership including policy advocacy, market research,
technical education, industry promotion, standards development and the
fostering of business and strategic relationships. CTA also owns and
produces CES�, the world's gathering place for all who thrive on the
business of consumer technologies. Profits from CES are reinvested into
CTA's industry services.
---------------------------------------------------------------------------
CTA represents more than 2,200 member companies--80 percent are
small businesses and startups; others are among the world's best-known
brands--who comprise the $398 billion U.S. consumer technology
industry. We also own and produce CES�, the world's gathering place for
all who thrive on the business of consumer technologies. CTA welcomes
the opportunity to provide input to the Subcommittee as it considers
ways to strengthen IoT security. CTA stands for innovators, including
many companies from large household names to entrepreneurial startups,
whose products and services largely comprise the IoT.
Though CTA is the principal trade association representing the
interests of the consumer technology industry, CTA also has a long
history as a technical standards body going back to the 1920s. Our
Technology and Standards program is accredited by ANSI, the American
National Standards Institute, and includes more than 70 committees and
over 1,000 participants. As Vice President of Technology and Standards
at CTA, my work is focused on this program. On a day-to-day basis, I
work with technical leaders throughout the industry on technology
standards issues. I also serve as a resource providing technical
insights both within the association and for regulators and government
leaders. Before joining CTA, I worked for over thirty years in a
variety of product development and standards-setting roles across the
consumer and computer technology industries.
In my role at CTA, as I will discuss in greater depth, I am deeply
engaged in collaborative efforts among the technology industry and with
the government to advance IoT security. These include ecosystem-wide
industry initiatives, the National Institute of Standards and
Technology's (NIST's) efforts to develop IoT core baseline security
capabilities \2\ and, more generally, advancing the Department of
Commerce (DOC) and Department of Homeland Security's (DHS) ``Road Map
Toward Resilience Against Botnets'' (DOC-DHS Road Map).\3\
---------------------------------------------------------------------------
\2\ See NIST, Draft Considerations for a Core IoT Cybersecurity
Capabilities Baseline (Feb. 2019), https://www.nist.gov/sites/default/
files/documents/2019/02/01/final_core_iot_cybersec
urity_capabilities_baseline_considerations.pdf.
\3\ A Road Map Toward Resilience Against Botnets (Nov. 29, 2018),
available at https://www.ntia.doc.gov/blog/2018/road-map-building-more-
resilient-internet.
---------------------------------------------------------------------------
II. Industry, in Close Coordination with Government Leaders, is
Proactively Addressing IoT Cybersecurity Challenges
In recent years, the consumer technology ecosystem has grown ever
more dynamic and complex. Consumers are increasingly incorporating
technology in more aspects of their lives, and this consumer demand for
anytime/anywhere connectivity will continue to drive the development of
new innovation. The resulting proliferation of smart sensors and
devices in our homes and cities (commonly referred to as the ``Internet
of Things'') will enable tremendous consumer and public benefits over
the coming years. This innovation also presents new challenges,
especially regarding cybersecurity.
Industry has been working to address security for years. CTA has
developed a number of consensus-based standards and tools, including
helping manufacturers build more secure devices \4\ and assess their
internal processes for building in security \5\ in addition to helping
professionals install devices with more appropriate security-conscious
settings.\6\
---------------------------------------------------------------------------
\4\ See, e.g., ``Securing Connected Devices for Consumers in the
Home--A Manufacturer's Guide'' (CTA-TR-12CEB33), https://
members.cta.tech/ctaPublicationDetails/?id=c12ebabe-84cd-e811-b96f-
0003ff52809d
\5\ BSIMM Assessment Survey, https://www.surveygizmo.com/s3/
2849582/BSIMM6.
\6\ Connected Home Security System, https://www.cta.tech/
Membership/Member-Groups/Tech
Home-Division/Device-Security-Checklist.aspx
---------------------------------------------------------------------------
Building on the foundation we developed at CTA, we are working
intensely with partners across the industry to secure the dynamic IoT
ecosystem. In May 2018, we announced that we were working with the
Council to Secure the Digital Economy (CSDE) to develop the
International Anti-Botnet Guide (Guide). CSDE and CTA's members cover
the entirety of the complex global Internet and communications
ecosystem. We released the Guide in November 2018.\7\ The Guide is a
playbook that offers companies across the digital ecosystem a set of
baseline tools, practices and processes they can adopt to help protect
against the threat of botnets and other automated distributed attacks.
The guide provides a flexible approach for IoT devices of varying
processing capabilities and data types, providing companies with a
range of options to appropriately address security risks. We committed
to promoting implementation of the Guide's recommendations and updating
it each year, and we are currently working on updates.
---------------------------------------------------------------------------
\7\ CSDE, International Anti-Botnet Guide 2018, available at
https://securingdigitalecono
my.org/wp-content/uploads/2018/11/CSDE-Anti-Botnet-Report-final.pdf.
---------------------------------------------------------------------------
Last month, through the CSDE, we convened 18 major cybersecurity
and technology organizations, industry associations, consortia and
standards bodies--all groups that convene their own memberships
(``Convene the Conveners,'' or C2). This unprecedented industry effort
to identify baseline security capabilities for the rapidly growing IoT
marketplace aims to address four challenges:
1. Promoting global harmonization vs. fragmentation of security
specifications/requirements.
2. Working with emerging global market forces that naturally favor
secure devices and systems.
3. Developing a coherent common language on these issues that is
compelling to various policy and technical audiences.
4. Influencing policy development in Europe, the U.S. (including at
the state level) and elsewhere.
Through this effort and other avenues, we and many of our member
companies are collaborating closely with leaders at the National
Telecommunications and Information Administration (NTIA), NIST, DHS and
other government agencies.\8\ We believe these agencies play important
roles in developing trust in emerging technologies, such as the IoT. In
this regard, we commend the Senate Commerce Committee for its essential
role in promoting the NIST Cybersecurity Framework (Cybersecurity
Framework) \9\ and supporting the Framework's development, including
the support of the Cybersecurity Enhancement Act of 2014.\10\ CTA and
its members strongly support the collaborative processes through which
NIST has worked with the industry to develop and update the
Cybersecurity Framework, as well as the NIST-convened, industry-
supported efforts set forth in the DOC-DHS Road Map.
---------------------------------------------------------------------------
\8\ For instance, CTA has engaged, and will continue to engage,
NIST in its important efforts to develop IoT security baseline
capabilities.
\9\ See NIST, Cybersecurity Framework, https://www.nist.gov/
cyberframework.
\10\ Cybersecurity Enhancement Act of 2014, Pub. L. No. 113-274,
128 Stat. 2971 (2014).
---------------------------------------------------------------------------
III. Market Forces Are Combining With Public-Private Cooperation for
Major Gains
Companies in the retail sector are increasingly concerned about
protecting their customers. They want customers to feel comfortable
when they buy products, and they want the market for IoT devices to be
something where consumers can engage freely. These companies are
working internally and with CTA to develop ways to promote security
among their manufacturing suppliers.
Retailers suggest that retailer-manufacturer conversations--
discussions that ultimately result in supplier agreements--should be
based in accepted industry standards. The largest retailers are looking
to industry and government for guidance on standards and best
practices. Retailers say they need a common, industry-accepted way to
identify acceptable baseline security with their suppliers. NIST, as
part of the DOC-DHS Road Map, is developing a list of core baseline
security capabilities for IoT through a public multi-stakeholder
process that will advance these market developments.\11\
---------------------------------------------------------------------------
\11\ See NIST, Draft Considerations for a Core IoT Cybersecurity
Capabilities Baseline (Feb. 2019), https://www.nist.gov/sites/default/
files/documents/2019/02/01/final_core_iot_cybersec
urity_capabilities_baseline_considerations.pdf.
---------------------------------------------------------------------------
In turn, our C2 effort with the CSDE is driving industry consensus
for these security capabilities. Our effort will inform NIST and other
U.S. Government efforts on IoT security and advance the broader market
developments that are already underway.
IV. Government and Industry Speaking With One Voice on Consensus-Based
Standards Can Best Address Global IoT Cybersecurity Challenges
CTA believes that the U.S. Government should continue to play its
critical role in convening activities among different ecosystem
stakeholders. NIST's work related to cybersecurity is illustrative of
the productive role government can play in these efforts. The
Cybersecurity Framework has been an incredibly successful and important
public-private partnership, and NIST's guidance on IoT security
baseline capabilities has the potential to have a similar impact. CTA
believes the Committee should continue to support this approach.
Ultimately, dynamic solutions driven by powerful market forces are
the best answer to global, systemic challenges to IoT security. CSDE,
C2 and other ongoing industry efforts demonstrate that industry is
committed to these dynamic solutions based on the conviction that these
solutions can work. Specifically, IoT security solutions must include
and rely on:
Ecosystem-wide consensus. We are seeking a baseline security
consensus that includes all major stakeholders globally, not
just a single industry sector, association, vertical or
national/regional jurisdiction. A key pillar of market-driven
IoT security is achieving technical consensus on security
specifications that, in turn, can be assessed and communicated
to buyers and other market participants.
Voluntary standards and best practices. We are taking on
this challenge voluntarily for industry's own interests in a
global marketplace. In contrast, prescriptive compliance-based
regulations in various jurisdictions would handicap these
efforts.
Standards that scale. We believe that security
specifications driven by powerful global market demands and
fueled by ever-improving security innovations of technical
experts are the best method to advance IoT security. Government
policies should be structured to promote this dynamic. In
contrast, regulatory requirements that would differ by
jurisdiction would inhibit security.
It is critical to recognize IoT security is not a domestic problem
in the U.S. that can be solved merely by domestic solutions. The
October 2016 Mirai botnet attack on Dyn that took down many of the most
popular websites on the U.S. and UK Internet was global: 89.1 percent
of the enormous inbound attack traffic came from devices installed
outside the U.S.\12\ In other words, enhancing the security of devices
in the U.S. alone would not have prevented the Mirai attack or
substantially mitigated its impact.
---------------------------------------------------------------------------
\12\ See Internet Protocol (IP) address analysis by Imperva,
Breaking Down Mirai: An IoT DDoS Botnet Analysis (Oct. 2016), https://
www.imperva.com/blog/malware-analysis-mirai-ddos-botnet/
---------------------------------------------------------------------------
IoT security is not merely a U.S. interest. Other government bodies
around the globe are seeking answers including the European Union
Agency for Network and Information Security, the United Kingdom's
Department for Digital, Culture, Media and Sport and Japan's Ministry
of Economy, Trade and Industry. This international interest in IoT
security also underscores the importance of a common approach.
Market-driven security solutions, promoted by government leaders
and agencies, can best address the global IoT security challenge at
scale. With cooperation between CDSE, CTA, NIST, NTIA, industry,
retailers and assessment bodies all moving in the same direction and
with the same strategy, the message coming from the U.S. in
international fora is clear, meaningful and impactful. We encourage the
Committee to continue to champion this approach.
V. Conclusion
In summary, industry is working with government to make significant
and rapid progress in navigating the expeditious and effective possible
path to national and global IoT security. This Subcommittee has and
will continue to play an important role in building the foundation for
this progress. We ask that the Subcommittee continue to support and
promote the groundbreaking efforts underway at NIST, DHS, DOC and other
agencies, as well as across the industry, that are providing formal
processes and structures to lead the global IoT to a secure future.
Senator Sullivan [presiding]. Thank you, Mr. Bergman.
Mr. Geiger.
STATEMENT OF HARLEY GEIGER,
DIRECTOR OF PUBLIC POLICY, RAPID7
Mr. Geiger. Thank you very much for holding this hearing on
the important issue of IoT security, and for giving me the
opportunity to testify on behalf of Rapid7.
Rapid7 is a cybersecurity and data analytics company. We
have a headcount of about 1,300 people and 7,800 customers
worldwide, and we partner closely with security and IT firms to
empower organizations to securely advance and to protect their
users. We have four recommendations for the Committee:
First, Congress should pass data security legislation.
Security of personal information is fundamental to privacy and
must be included in any privacy legislation. This is distinct
from breach notification. Legislation that requires reasonable
risk-based security for personal information will apply to IoT
devices that collect and process that information. Because the
requirement for reasonable security would be tied to a
definition of personal information rather than a definition of
IoT, it would cut across IoT deployments in various sectors and
encompass the other technologies that integrate with an IoT
device. Many IoT vulnerabilities implicate personal
information, such as credentials, audiovisual recordings, and
geolocation. And a Federal data security law would require
better IoT security in sectors that are otherwise not covered
by the jurisdiction of Federal agencies.
Second, Congress should support enforceable agency actions
on IoT security. Federal agencies have domain expertise and
existing authority to require basic IoT security within their
areas of jurisdiction, such as the FDA for medical devices,
NHTSA for cars, CPSC for product safety, FAA for drones, and
OMB for government procurement. Many agencies, but not all,
have begun the work of clearly describing their expectations
for IoT security. Congress should support these efforts and
exercise its oversight role to ensure that these efforts are
effective. This should include security-by-design principles
and industry standards, and not rely solely on voluntary
guidance. For the most part, basic IoT security precautions are
already widely recognized. The problem is lack of adoption.
Third, Congress should facilitate programs to help
consumers identify secure IoT devices. Consumers purchasing IoT
devices often have little insight into whether that device is
secure. Rapid7 recommends that Congress support voluntary
consumer awareness programs, such as certifications, seals, or
labels, like ENERGY STAR or the nutrition label, to let
consumers know whether an IoT device has critical security
features. Providing consumers with clear information about
security features in IoT devices will foster market competition
based on security, build trust in the security of IoT products,
and help consumers fulfill their role in maintaining security.
Fourth, and last, Congress should avoid new regulations
that chill beneficial security research. Any new regulations
related to IoT should not impose blanket access or use
restrictions that hinder independent research and repair. Time
and again, good-faith researchers or white-hat hackers have
discovered and reported IoT vulnerabilities, often in
coordination with IoT manufacturers, and these prompt patches
and other mitigations that ultimately protect consumers.
Independent researchers will be critical to match the growing
need for security as IoT devices are more widely deployed.
Members of the Committee, IoT security, if we're going to
do it right, will require a societal response. There are many,
many different types of IoT and IoTs integrated with an
ecosystem of other technologies. The specific security needs
for these different IoT deployments and different technologies
will vary, so there is no single solution, but there are
important roles for government, for manufacturers and
operators, as well as for consumers, to play. The Federal
Government need not accept the premise that its only role on
IoT security is that of a convener. We can, and we should,
expect basic protections for IoT devices and for personal
information. The technical and the policy barriers are not
insurmountable.
These digital devices are coming online at an unprecedented
rate, and failure to integrate reasonable security now will
result in a wave of cybersecurity risk that will linger in
enterprises, households, and infrastructure for some time to
come. Unsecure IoT devices will be like the new asbestos. We
will build them into our environments, only to have to rip them
back out, years later, and wonder why our predecessors did not
have the forethought to ensure basic security from the start.
Thank you. And I look forward to your questions.
[The prepared statement of Mr. Geiger follows:]
Prepared Statement of Harley Geiger, Director of Public Policy, Rapid7
Chairman Sullivan, Ranking Member Markey, and Members of the
Subcommittee: Thank you for inviting me to provide testimony on this
important issue on behalf of Rapid7. Rapid7 is a cybersecurity and data
analytics firm headquartered in Boston, MA, with offices around the
world. Rapid7's solutions manage cybersecurity risk and simplify the
complex, allowing security teams to work more effectively with IT and
development to reduce vulnerabilities, monitor for malicious behavior,
investigate and shut down attacks, and automate routine tasks. Over
7,800 customers worldwide rely on Rapid7 technology, services, and
research to improve cybersecurity outcomes, protect consumers, and
securely advance their organizations.
Introduction
The Internet of Things (IoT) has great potential for technological
innovation, economic growth, and enhanced quality of life. To reap
these benefits while safeguarding consumers, businesses, and
infrastructure, comprehensive cybersecurity protections will be needed.
Many of the technical and policy issues related to IoT are not unique
to this field. However, the diversity and quantity of IoT devices apply
familiar cybersecurity problems to new business sectors at a larger
scale.
Broad deployment of IoT will grow the risk of breach of personal
information and create a much larger attack surface for malicious
actors. Security vulnerabilities that once affected laptops and
smartphones can now affect refrigerators, implantable medical devices,
automobiles, and more. High-profile examples of this concern include
IoT devices infected by malware and leveraged to launch powerful
attacks that disrupted Internet service in large swathes of the US.\1\
Digital devices are coming online at an unprecedented rate, and a
failure to integrate reasonable security standards now will create a
wave of cybersecurity exposure that will linger in enterprises,
households, and infrastructure for some time.\2\
---------------------------------------------------------------------------
\1\ Nicole Perlroth, Hackers Used New Weapons to Disrupt Major
Websites Across U.S., New York Times, Oct. 21, 2016, https://
www.nytimes.com/2016/10/22/business/internet-problems-attack.html.
\2\ Gartner estimates 25 billion connected devices will be in use
by 2021. Gartner Identifies Top 10 Strategic IoT Technologies and
Trends, Gartner, Nov. 7, 2018, https://www.gartner.com/en/newsroom/
press-releases/2018-11-07-gartner-identifies-top-10-strategic-iot-
technologies-and-trends.
---------------------------------------------------------------------------
There is growing recognition that purely voluntary risk management
of IoT by the private sector is not adequately effective, and that
government needs to facilitate or mandate adoption of basic security.
An endless push for more voluntary guidance or frameworks delays
meaningful security requirements and enforcement. Policymakers have
recognized the issue and are starting to take action--at the Federal
and state level, in the Executive and Legislative Branches, as well as
internationally. However, the drive for governments to take a more
active role must also be balanced against the risk of a fragmented or
overly prescriptive regulatory landscape. The sheer complexity of laws
can itself be a barrier to security.
Nonetheless, the Federal Government need not--and should not--
accept the premise that its only role in IoT security is that of a
convener. Nor would innovation be irreparably stifled by advancing
security or transparency baselines for devices that collect intimate
details about consumers and whose collective computing power can form a
weapon that threatens critical infrastructure.
Rapid7 has four recommendations for Congress:
1) Require reasonable security of personal information. Security of
personal information is fundamental to privacy and should be
included in any privacy legislation. Legislation that requires
risk-based security requirements for personal information will
apply to IoT devices collecting and processing that
information. This will strengthen some aspects of IoT security
in sectors that are otherwise not covered by the jurisdiction
of Federal agencies.
2) Support coordinated but enforceable agency actions on IoT
security based on industry standards. Federal agencies should
be empowered to require reasonable security for IoT, including
security-by-design principles, within their areas of
jurisdiction. To the extent possible, agency requirements
should be harmonized by following a consistent baseline
supported by industry standards. Voluntary guidance should not
replace formal accountability and enforcement mechanisms when
baseline security is not met. Congress should exercise its
oversight role to ensure agency efforts are effective in
strengthening IoT security.
3) Facilitate voluntary transparency programs for consumer IoT
security. Congress should support voluntary consumer awareness
programs to enhance the transparency of critical security
features of consumer IoT devices, such as certifications,
seals, or labels. Providing consumers with clear information
about critical security features in IoT devices will foster
market competition based on security, promote innovation in
security, and build trust in the security of IoT products.
4) Avoid new regulations that chill beneficial security research.
Any new regulations related to IoT should not undermine
cybersecurity by imposing blanket access and use restrictions
that hinder independent research and repair. Independent
security researchers, acting in good faith, that identify and
disclose vulnerabilities in coordination with IoT manufacturers
can advance security by boosting the likelihood of remediating
otherwise unaddressed vulnerabilities.
I. IoT Security Challenges
1. ``The Internet of Things'' encompasses many technologies
The great variety of IoT devices is a key consideration for
policymaking around security. IoT systems can vary considerably from
one another, particularly consumer versus industrial applications, and
so can their security needs. Because of this, there is no one-size-
fits-all solution to IoT security, though some basic security features
that are based on outcomes and existing standards can apply to many
devices.
An ``Internet of Things'' device generally refers to a physical
object that contains a CPU and memory, runs software, communicates with
other devices electronically, and typically uses sensors to collect
data about its status or environment. This concept encompasses a huge
range of computers--large and expensive objects such as vehicles and
industrial robots, as well as small and inexpensive objects such as
light bulbs and baby monitors. The security risks, and the potential
consequences of security failures, vary across so many different
deployments.
It is also critical to recognize that IoT devices typically do not
stand alone. Instead, IoT devices are often part of a broader ecosystem
with several components: distributed sensors gathering data for the
device, the network transmitting data, cloud storage of data gathered
by the device, a mobile app for external management and control,
companion devices, etc. These components can have their own security
issues that implicate the rest of the ecosystem--for example, device
security features will not necessarily prevent attacks on a weak mobile
app or sensitive data from leaking from improperly configured cloud
storage.\3\ In isolation, security features on the device itself will
have limited effectiveness.
---------------------------------------------------------------------------
\3\ Tod Beardsley, R7-2018-52: Guardzilla IoT Video Camera Hard-
Coded Credential (CVE-2018-5560), Rapid7, Dec. 27, 2018, https://
blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-
coded-credential-cve-2018-5560.
---------------------------------------------------------------------------
2. Common vulnerabilities and exposures
Because IoT devices do not normally look or behave like traditional
computers, they are often marketed and treated as if they are single-
purpose devices, rather than the general-purpose computers they
actually are. In addition, IoT brings connectivity to more business
sectors that previously did not provide networked products and have
less experience with managing cybersecurity risks. As a result, basic
precautions to thwart casual attackers that manufacturers might take
with traditional computers can fail to make it into production of IoT
devices.
The items below describe some common vulnerabilities and exposures
for IoT devices we have encountered. Not all IoT devices suffer from
all of these issues, but in our experience, it is common to find
consumer-grade IoT devices that exhibit at least one serious failing.
a) Lack of security for stored data: IoT devices and related
services often fail to store data in industry-standard,
encrypted formats--both if data is captured on the device or
held in the cloud.\4\ Failure to protect stored data with
cryptography risks breach of the data. This feature is
particularly important if the stored data is sensitive or
personal to the user.
---------------------------------------------------------------------------
\4\ Daniel Oberhaus, This Hacker Showed How a Smart Lightbulb Could
Leak Your Wi-Fi Password, Jan. 31, 2019, https://motherboard.vice.com/
en_us/article/kzdwp9/this-hacker-showed-how-a-smart-lightbulb-could-
leak-your-wi-fi-password.
b) Lack of security for data in transit: IoT devices often fail to
use modern cryptographic standards or fail to authenticate
properly, risking exposure of user data in transport over both
the public Internet and local area networks.\5\ This puts the
device at greater risk of many active and passive network
attacks, which could otherwise be defeated with widely used
communication encryption protocols like Transport Layer
Security (which, among other things, underpins HTTPS).
---------------------------------------------------------------------------
\5\ Iain Thomson, Wi-Fi baby heart monitor may have the worst IoT
security of 2016, The Register, Oct. 13, 2016, https://
www.theregister.co.uk/2016/10/13/possibly_worst_iot_security
_failure_yet.
c) Weak credentials: IoT manufacturers occasionally include default
or service accounts, which are either difficult or impossible
to disable under normal usage. These accounts often use default
or easily guessable passwords, and tend to share the same
password, key, or token across many devices.\6\ Weak
credentials raise the risk that the device can be accessed and
controlled by unauthorized users.\7\
---------------------------------------------------------------------------
\6\ ``Based on field experience, passwords for approximately 15 out
of 100 devices have never been changed from their default values. And
just the five most popular user name/password pairs are enough to get
admin access to 1 out of every 10 devices.'' Positive Technologies,
Practical ways to misuse a router, Jun. 16, 2017, http://
blog.ptsecurity.com/2017/06/practical-ways-to-misuse-router.html.
\7\ Dan Goodin, Leak of >1,700 valid passwords could make the IoT
mess much worse, Ars Technica, Aug. 25, 2017, https://arstechnica.com/
information-technology/2017/08/leak-of-1700-valid-passwords-could-make-
the-iot-mes s-much-worse.
d) Mobile application access: Many IoT devices include a mobile app
for external management and control. Improperly secured mobile
applications can be exploited to provide unauthorized users
with control of the device.\8\ Some mobile applications are
also granted more access rights to a device than what is needed
for the application to function properly.\9\
---------------------------------------------------------------------------
\8\ Andy Greenberg, This Gadget Hacks GM Cars To Locate, Unlock,
And Start Them, Jul. 30, 2015, https://www.wired.com/2015/07/gadget-
hacks-gm-cars-locate-unlock-start.
\9\ Dan Goodin, Samsung Smart Home flaws let hackers make keys to
front door, Ars Technica, May 2, 2016, https://arstechnica.com/
information-technology/2016/05/samsung-smart-home-flaws-lets-hackers-
make-keys-to-front-door.
e) Lack of segmentation: When different components of a device share
the same memory or circuitry, a flaw in one component can lead
to exploitation of another component. For example, an attack on
the infotainment system of a vehicle can lead to access of the
critical driving functions, such as acceleration or
braking.\10\ Non-critical controls should be physically and
logically separated from systems implicating safety.
---------------------------------------------------------------------------
\10\ Andy Greenberg, Hackers Remotely Kill A Jeep On The Highway--
With Me In It, Wired, Jul. 21, 2015, https://www.wired.com/2015/07/
hackers-remotely-kill-jeep-highway.
f) UART access: Universal Asynchronous Receiver/Transmitter (UART)
interfaces often enable a physically close attacker to access
and alter IoT devices in ways that bypass the normal
authentication mechanisms via a serial cable connection.\11\ In
addition, UART interfaces tend to grant root access, far
exceeding the permissions of regular users, which can enable
persistent attacks on devices.
---------------------------------------------------------------------------
\11\ Mark Stanislav and Tod Beardsley, Hacking IoT: A Case Study on
Baby Monitor Exposures and Vulnerabilities, Rapid7, Sep. 2015, https://
www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-
and-Vulnerabilities.pdf.
g) Insufficient update practices: IoT devices, unlike most
traditional computers, can lack an effective update and upgrade
path once the devices leave the manufacturer's warehouse. In
some cases, the manufacturer may no longer provide security
support (such as patches) after a device outlives its
designated shelf life.\12\ Without a patching capability, it is
difficult to correct devices' known security flaws at a large
scale, leaving the devices vulnerable to repeated attacks even
when a fix is available.\13\ This issue is more prevalent in
inexpensive consumer devices that use commodity components,
rather than more sophisticated systems.
---------------------------------------------------------------------------
\12\ See, e.g., Letter from Mary Engle to Richard J. Lutton, Jr.
re: Nest Labs, Inc., FTC File No. 162-3119, Jul. 7, 2016, https://
www.ftc.gov/system/files/documents/closing_letters/nid/
160707nestrevolvletter.pdf. See also Jessica Rich, What happens when
the sun sets on a smart product?, Fed. Trade Commission, Jul. 13, 2016,
https://www.ftc.gov/news-events/blogs/business-blog/2016/07/what-
happens-when-sun-sets-smart-product.
\13\ Troy Hunt, Data from connected CloudPets teddy bears leaked
and ransomed, exposing kids' voice messages, Feb. 28, 2017, https://
www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-
ransomed-exposing-kids-voice-messages.
We do not believe the technical challenges to providing basic
security for the majority of IoT devices and associated technologies
are insurmountable at present. We are optimistic that reasonably secure
IoT deployments will become more common in the future, but we believe
it is essential that IoT manufacturers be incentivized to incorporate
widely acknowledged security protections from the design phase forward.
II. Recommendations for Congress
1. Legislation to require reasonable security for personal information
Rapid7 strongly supports a national framework requiring reasonable
security for consumers' personal information.\14\ As Congress considers
privacy legislation, it is critical that security of personal
information be included, as security is fundamental to privacy.\15\
Many of the concerns and events driving the privacy debate, such as
accidental data breach or malicious hacking, are a result of security
failures, not failures of notice, choice, transparency, or
discriminatory use of data.\16\ However, if Federal privacy legislation
once again fails to move forward, we would urge a standalone
legislative effort to advance risk-based security for personal
information.
---------------------------------------------------------------------------
\14\ Harley Geiger, Updating Data Security Laws--A Starting Point,
Rapid7, May 4, 2018, https://blog.rapid7.com/2018/05/04/updating-data-
security-laws-a-starting-point.
\15\ See e.g., background of Fair Information Practice Principles:
Department of Homeland Security, Privacy Policy Guidance Memorandum,
Dec. 29, 2008, https://www.dhs.gov/xlibrary/assets/privacy/
privacy_policyguide_2008-01.pdf.
\16\ See, e.g., The Equifax Data Breach, U.S. House of
Representatives, Committee on Oversight and Government Reform, Majority
Staff Report, Dec. 2018, pg. 4, https://republicans-
oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf.
---------------------------------------------------------------------------
Legislation establishing an affirmative security obligation for
entities collecting and processing personal information would prompt
some basic security improvements to IoT devices that collect and
process such information. Numerous, though not all, IoT security
vulnerabilities involve unauthorized exposure of data that is typically
categorized as ``personal information'' in data security laws, such as
audio and visual recordings, credentials (username and password
providing access to an online account), and geolocation data. Because
the requirement of reasonable security would be tied to personal
information, rather than a definition of IoT, it would cut across IoT
deployments in disparate sectors and encompass the other technologies
(such as cloud storage) that integrate with the IoT device.\17\
---------------------------------------------------------------------------
\17\ Federal Trade Commission Staff Report, Internet of Things--
Privacy & Security in a Connected World, pg. 49, https://www.ftc.gov/
system/files/documents/reports/federal-trade-commission-staff-report-
november-2013-workshop-entitled-internet-things-privacy/
150127iotrpt.pdf.
---------------------------------------------------------------------------
There is a great deal of precedent available for reasonable
security requirements. Half of U.S. states have a data security
requirement for personal information held by the private sector,\18\ as
does the European Union's (EU) General Data Protection Regulation.\19\
Similar requirements are well-established in sectoral privacy
regulation, such as under COPPA,\20\ GLBA,\21\ and HIPAA.\22\ What is
missing outside of those sectors is a nationwide affirmative obligation
for reasonable security of personal information in the US. This would
provide more consistent expectations for businesses and more consistent
protection for consumers. However, if the patchwork of current data
security laws is preempted, a Federal replacement should not establish
substantially weaker protections than the status quo.\23\
---------------------------------------------------------------------------
\18\ http://www.ncsl.org/research/telecommunications-and-
information-technology/data-security-laws.aspx
\19\ Article 32. https://gdpr-info.eu/art-32-gdpr/
\20\ Children's Online Privacy Protection Act, 16 CFR 312.8.
\21\ Gramm-Leach-Bliley Act, 16 CFR 314.
\22\ Health Insurance Portability and Accountability Act, 45 CFR
164.306.
\23\ In particular, we urge that a Federal baseline be risk-based,
not be limited to protecting against economic or physical harm, avoid
requiring real names to qualify as ``personal information,'' and
incentivize use of encryption. Harley Geiger, Updating Data Security
Laws--A Starting Point, Rapid7, May 4, 2018, https://blog.rapid7.com/
2018/05/04/updating-data-security-laws-a-starting-point.
---------------------------------------------------------------------------
Breach notification requirements only apply after a breach has
occurred. Data security safeguards are critical to preventing breaches
before they occur by addressing the root cause of many breaches:
inadequate security. Too often, breach notification requirements are
relied on as a substitute for data security--since complying with
breach notification requirements is expensive and difficult,
organizations will be inspired to implement strong security safeguards
to prevent breaches. Yet this approach is not adequate--as demonstrated
by the continued march of severe data breaches caused by poor security,
in spite of all enactment of breach notification laws in all 50 states.
A requirement of reasonable security for personal information is
distinct from breach notification, and should be considered separately.
Privacy legislation that fails to integrate security will have
negative consequences for consumers. Unfortunately, this is occurring
in several states that are among the half without data security laws--
most notably the Washington Privacy Act,\24\ but also legislation in
Illinois, Montana, New Jersey, North Dakota, and others.\25\ Some of
these efforts copycat the California Consumer Privacy Protection Act,
which did not include data security provisions--but California already
has a data security law.\26\ This problem will be especially serious if
a Federal privacy bill excludes security provisions but preempts state
security laws.
---------------------------------------------------------------------------
\24\ Washington Privacy Act, SB.5376, Feb. 18, 2019, http://
lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/Bills/Senate
percent20Bills/5376-S.pdf.
\25\ Respectively: SB.1502 (IL), HB.457 (MT), S.2834 (NJ), HB.1485
(ND).
\26\ CA Civ. Code 1798.81.5(b)
---------------------------------------------------------------------------
2. Support coordinated but enforceable agency actions on IoT security
based on industry standards
Recognizing the differences in IoT systems, we do not recommend
Congress attempt prescriptive IoT-specific legislation at this time.
Instead, regulatory efforts should be undertaken by agencies that
already oversee those sectors and have deep knowledge of their
practices. Ideally, regulatory bodies would work in a coordinated
fashion to achieve consistency where possible. Congress should support
agencies' efforts and exercise its oversight role to ensure their
activities are effective in appropriately advancing reasonable IoT
security.
Several agencies have started the work of articulating how IoT
security fits within their authorities. Examples include the Food and
Drug Administration,\27\ the National Highway Transportation
Administration,\28\ the Consumer Product Safety Commission,\29\ the
Federal Energy Regulatory Commission,\30\ the Federal Trade
Commission,\31\ and the Department of Defense.\32\ Many of these
efforts are voluntary but provide insight into how agencies expect IoT
manufacturers and operators to mitigate basic security risks.
---------------------------------------------------------------------------
\27\ FDA, Content of Premarket Submissions for Management of
Cybersecurity of Medical Devices, Draft Guidance, Oct. 18, 2018,
https://www.fda.gov/downloads/MedicalDevices/Device
RegulationandGuidance/GuidanceDocuments/UCM623529.pdf. See also, Food
and Drug Administration, Postmarket Management for Cybersecurity in
Medical Devices, Dec. 28, 2016, https://www.fda.gov/downloads/
MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/
ucm482022.pdf.
\28\ NHTSA, Cybersecurity Best Practices for Modern Vehicles, Oct.
15, 2016, https://www.nhtsa.gov/staticfiles/nvs/pdf/
812333_CybersecurityForModernVehicles.pdf.
\29\ CPSC, Statement of Commissioner Kaye, Regarding A Framework Of
Safety For The Internet Of Things, Jan. 31, 2019, https://www.cpsc.gov/
s3fs-public/A_Framework_for_Safety
_Across_the_Internet_of_Things_1-31-2019_0.pdf.
\30\ 18 CFR 40.
\31\ Kristin Cohen and Peder Magee, FTC updates COPPA compliance
plan for business, Federal Trade Commission, Jun. 21, 2017, https://
www.ftc.gov/news-events/blogs/business-blog/2017/06/ftc-updates-coppa-
compliance-plan-business. Federal Trade Commission, Careful
Connections, Building Security in the Internet of Things, Jan. 2015,
https://www.ftc.gov/system/files/documents/plain-language/pdf0199-
carefulconnections-buildingsecurityinternetofthings.pdf.
\32\ DoD CIO, Policy Recommendations for the Internet of Things,
U.S. Department of Defense, December 2016, pg. 6, https://www.hsdl.org/
?view&did=799676.
---------------------------------------------------------------------------
Congress should encourage other agencies to provide explicit
guidance and, where appropriate, enforceable rules regarding the
security of internet-connected devices under their jurisdiction. For
example, the Federal Aviation Administration's cybersecurity
expectations for unmanned aircraft should be clear, as should the
Office of Management and Budget's security standards for IoT devices
procured by the Federal Government. If there is a gap in authority, or
if existing standards are unacceptably weak, Congress should consider
legislation to prompt agency action without being overly
prescriptive.\33\
---------------------------------------------------------------------------
\33\ For example, Rapid7 supports initiating clear standards for
Federal Government procurement of IoT, which is the aim of S.734, the
IoT Cybersecurity Improvement Act of 2019. Jen Ellis, The IoT
Cybersecurity Improvement Act of 2019, Rapid7, Mar. 27, 2019, https://
blog.rapid7.com/2019/03/27/the-iot-cybersecurity-improvement-act-of-
2019.
---------------------------------------------------------------------------
NIST's work on authoritative, voluntary standards is extremely
useful. NIST has dozens of initiatives related to IoT security, with
about a dozen more planned.\34\ NIST's ongoing work to define a ``Core
Security Capability Baseline'' will help establish minimum security-by-
design practices that should apply to the vast majority of IoT
devices.\35\ This can further inform expectations in consumer, federal,
and industrial contexts. Rapid7's suggestions for these baseline
capabilities have been the following:
---------------------------------------------------------------------------
\34\ NIST, IoT Cybersecurity-Related Initiatives at NIST, Apr. 11,
2018, https://www.nist.gov/itl/applied-cybersecurity/nist-initiatives-
iot.
\35\ Dept. of Commerce, A Road Map Toward Resilience Against
Botnets, Nov. 29, 2018, https://www.commerce.gov/sites/default/files/
2018-11/Botnet%20Road%20Map%20112918%20
for%20posting_0.pdf.
1. Asset identification: The IoT device can be identified on a
---------------------------------------------------------------------------
network.
2. Update capability: The IoT device's software and firmware can be
updated post-market via a secure process.
3. Secure sensitive information: The IoT device can use cryptography
to secure stored and transmitted personally identifiable
information, safety-critical information, credentials, or
otherwise sensitive data.
4. No shared credentials: The IoT device does not use a default
credential that is shared by many other IoT devices or is
widely known.\36\
---------------------------------------------------------------------------
\36\ California passed this requirement into law Sep. 28, 2018. It
goes into effect in 2020. California SB 327, Sec. 1, https://
leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201
720180SB327.
5. Vulnerability handling: The manufacturer should have an
administrative process for accepting unsolicited vulnerability
---------------------------------------------------------------------------
reports and acting on them.
However, it is important to point out that the above baseline
features are already incorporated into many IoT standards and best
practices documents. Government agencies, trade groups, and standards
bodies have released a host of guidance and best practices for
mitigating IoT security risks.\37\ In fact, these are established best
practices for traditional technologies, not just IoT.\38\ As a result,
Congress should be skeptical of claims that it is necessary to wait for
the development of additional standards or best practices in order to
have an expectation that the vast majority of IoT devices meet these
basic features.
---------------------------------------------------------------------------
\37\ In addition to the guidance cited elsewhere in the testimony,
see also: U.S. Department of Homeland Security, Strategic Principles
for Securing the Internet of Things (IoT), Nov. 15, 2016, https://
www.dhs.gov/sites/default/files/publications/
Strategic_Principles_for_Securing_the_
Internet_of_Things-2016-1115-FINAL. . . .pdf. United Kingdom Department
for Digital, Culture Media, & Sport, Code of Practice for Consumer IoT
Security, Oct. 14, 2018, https://www.gov.uk/government/publications/
code-of-practice-for-consumer-iot-security. Microsoft, Security best
practices for Internet of Things (IoT), Oct. 8, 2018, https://
docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-
practices. Online Trust Alliance, OTA IoT Trust Framework v2.5, May 22,
2018, https://www.internetsociety.org/iot/trust-framework.
\38\ See, e.g., Council to Secure the Digital Economy,
International Anti-botnet guide, 2018, https://
securingdigitaleconomy.org/wp-content/uploads/2018/11/CSDE-Anti-Botnet-
Report-final.pdf.
---------------------------------------------------------------------------
3. Facilitate voluntary transparency programs for security of consumer
IoT
Rapid7 recommends Congress support voluntary processes that enhance
the transparency of critical security features of consumer IoT devices.
Consumer awareness plays an important role in IoT security, and end
users would ideally evaluate device security as a routine part of
purchasing. Yet consumers often have little insight into the presence
of security features in an IoT device prior to purchase, which hinders
informed buying decisions. Providing consumers with clear information
about critical security features in IoT devices will foster market
competition based on security, promote innovation in security, and
build trust in the security of IoT products.
To help address this lack of transparency, numerous government and
private-sector efforts aim to provide an IoT security certification or
seal--similar to Energy Star, the recycling symbol, or nutrition
labels. The National Telecommunications and Information Administration
facilitated the successful completion of a transparency proposal
focused on IoT security update capability and end-of-life.\39\
Recently, the Departments of Commerce and Homeland Security released
their ``Botnet Roadmap,'' which includes planned projects related to
labeling and assessment programs for both consumer and industrial
IoT.\40\ The EU Cybersecurity Act will also establish voluntary
certification schemes for IoT, as well as other ICT products and
services. Per the EU Cybersecurity Act, the certification schemes must
designate basic, substantial, or high levels of security, with
reference to available standards.\41\ These schemes aim to strengthen
the overall level of security in the EU and enable consumers to
accurately gauge the relative security of certified products.\42\
---------------------------------------------------------------------------
\39\ The document was produced as part of a consensus-based
multistakeholder process. National Telecommunications and Information
Administration, Communicating IoT Device Security Update Capability to
Improve Transparency for Consumers, Jul. 18, 2017, https://www.ntia
.doc.gov/files/ntia/publications/
communicating_iot_security_update_capability_for_consumers
_-_jul_2017.pdf.
\40\ Completion of this work is not expected until mid-2021. Dept.
of Commerce, A Road Map Toward Resilience Against Botnets, Nov. 29,
2018, pgs. 5-8, https://www.commerce.gov/sites/default/files/2018-11/
Botnet%20Road%20Map%20112918%20for%20posting_0.pdf.
\41\ See Articles 46, 51-54. European Parliament, Cybersecurity
Act, Adopted Text, Mar. 12, 2019, http://www.europarl.europa.eu/sides/
getDoc.do?pubRef=-//EP//NONSGML+TA+P8-TA-2019-0151+0+DOC+PDF+V0//EN.
\42\ Id., Recitals 6-10.
---------------------------------------------------------------------------
In addition to these important efforts, we are encouraged that
Congress is also exploring market-based means to bring information
about the security of IoT products to the attention of consumers.\43\
Senator Markey's Cyber Shield Act would require the Department of
Commerce to convene public-and private-sector experts to establish
security benchmarks for select connected products. The working group
would be encouraged to incorporate existing standards rather than
create new ones, and the benchmark would change over time to keep pace
with evolving threats and expectations. The process, like that which
produced the NIST Cybersecurity Framework, would be open for public
review and comment. Manufacturers may voluntarily display ``Cyber
Shield'' labels on IoT products that meet the security benchmarks (as
certified by an accredited testing entity).\44\
---------------------------------------------------------------------------
\43\ Harley Geiger, Legislation to Strengthen IoT Marketplace
Transparency, Jun. 26, 2017, https://blog.rapid7.com/2017/06/26/
legislation-to-strengthen-iot-marketplace-transparency.
\44\ Cyber Shield Act of 2017, S.2020, 115th Cong., Oct. 26, 2017.
---------------------------------------------------------------------------
The approach is not without its challenges. To be effective, the
security benchmarks must be clear and focused, and consumers should
recognize the certification or seal does not promise complete security.
The program would need buy-in from security experts and responsible
manufacturers. Nonetheless, strengthening the IoT ecosystem will
require a multi-pronged approach from policymakers, and Rapid7 believes
initiatives like these can be very useful tools for empowering
consumers.
4. Avoid chilling independent security research
IoT security risks can prompt regulatory proposals to block access
to device software unless authorized by the manufacturer or operator.
Rapid7 believes this approach would be misguided. While safety and
crime deterrence is certainly an important consideration for IoT, any
new regulations related to IoT should not undermine cybersecurity by
imposing blanket access and use restrictions that chill independent
research and repair. Independent security researchers will be critical
to match the greater need for security as IoT devices are more widely
deployed. Time and again, good-faith researchers or ``white hat
hackers'' have discovered and reported IoT security vulnerabilities,
prompting patches and other mitigations that ultimately protect
consumers.
Several existing laws chill security research, which can hinder
independent efforts to assess the security of IoT devices. The Computer
Fraud and Abuse Act (CFAA), Section 1201 of the Digital Millennium
Copyright Act (DMCA), and other laws contain broad prohibitions on
access to computers and software.\45\ Although we recognize the
beneficial role of these laws in deterring cybercrime, balancing
greater flexibility for independent research and repair with law
enforcement needs is increasingly important as IoT proliferates faster
than the cybersecurity workforce.
---------------------------------------------------------------------------
\45\ Deirdre Mulligan, Nick Doty, and Jim Dempsey, Cybersecurity
Research: Addressing the Legal Barriers and Disincentives, Berkeley
Center for Law and Technology, Sep. 28, 2015, http://ondoc.logand.com/
d/5689/pdf.
---------------------------------------------------------------------------
As compared to several years ago, policymakers more frequently
recognize the value of independent security research. For example, in
2018, the U.S. Copyright Office renewed a temporary exemption to Sec.
1201 of the DMCA for security research,\46\ and expressed support for
making the security research protections permanent.\47\ The Department
of Justice strongly urged renewal and expansion of the DMCA protections
for researchers.\48\ Another example: In 2016, the state of Washington
included helpful protections for white hat security researchers in the
state's cybercrime laws.\49\
---------------------------------------------------------------------------
\46\ Harley Geiger, Expanded Protections for Security Researchers
Under DMCA Sec. 1201, Rapid7, Nov. 1, 2018, https://blog.rapid7.com/
2018/11/01/expanded-protections-for-security-researchers-under-dmca-
sec-1201.
\47\ U.S. Copyright Office, Section 1201 of Title 17, Report of the
Register of Copyrights, Jun. 2017, pgs. 74-76, https://
www.copyright.gov/policy/1201/section-1201-full-report.pdf.
\48\ U.S. Dept. of Justice, Letter from John Lynch (CCIPS) to Regan
Smith (USCO), Jun. 28, 2018, https://www.copyright.gov/1201/2018/USCO-
letters/USDOJ_Letter_to_USCO.pdf.
\49\ Revised Code of Washington 9A.90.030(10)-(11).
---------------------------------------------------------------------------
Other Federal and state legislative proposals related to IoT would
have imposed broad and redundant restrictions on access to connected
devices. For example, in 2015, a House Energy and Commerce Subcommittee
released draft legislation that would have levied heavy fines on anyone
accessing car software without manufacturer authorization for any
reason--regardless of whether the accessor had purchased the car, or if
the car was accessed for cybersecurity research purposes.\50\ The
following year, a similar bill restricting access to vehicle software
was introduced in the Michigan Senate.\51\ Proposals such as these are
not just overbroad, but also largely redundant of existing laws
prohibiting unauthorized access and use of computers.\52\
---------------------------------------------------------------------------
\50\ Harley Geiger, Draft Car Safety Bill Goes In The Wrong
Direction, Center for Democracy & Technology, Oct. 20, 2015, https://
cdt.org/blog/draft-car-safety-bill-goes-in-the-wrong-direction.
\51\ Joint letter to Michigan Senator Mike Kowall ``Re: Car Hacking
Legislation--S.B. 0927 (2016),'' May 16, 2016, https://www.rapid7.com/
globalassets/_pdfs/policy/letter-re-sb-0927-
from-cybersecurity-researchers-051616.pdf.
\52\ Id.
---------------------------------------------------------------------------
Such restrictive proposals would hinder legitimate security
researchers and repair services that can assess and fix the devices'
cybersecurity vulnerabilities. Security researchers identify errors and
vulnerabilities in software, digital devices, and networks, and
disclose them to prevent their exploitation by criminals. This research
strengthens cybersecurity because the researchers call attention to
vulnerabilities that manufacturers may have missed or ignored, which
encourages manufacturers or other parties to make the appropriate fixes
or mitigations to keep people safe. As the growth of IoT devices
creates a larger attack surface for malicious actors, it will be
crucial to foster an environment where good-faith disclosure of
security issues in devices or systems is taken seriously and openly,
rather than with threats or avoidance.\53\
---------------------------------------------------------------------------
\53\ Cybersecurity Coalition, Policy Priorities for Coordinated
Vulnerability Disclosure and Handling, Feb. 25, 2019, https://
www.cybersecuritycoalition.org/policy-priorities.
---------------------------------------------------------------------------
We thank the Committee for holding this hearing and for providing
us the opportunity to share our views.
Senator Sullivan. Great.
Well, thank you, to all the witnesses. Very informative
testimony.
Let me begin by talking--when you mention--I'm going to
open this up for everybody--you know, Mr. Geiger, you just
talked about government policy. One element that--it's actually
as much a national security issue, but a number of us on this
committee actually sit on the Armed Services Committee. Two
years ago, there was a hearing on this topic, cybersecurity,
and it became very apparent that the consensus was that the
United States, when attacked by a state actor--say, Russia,
China, North Korea, Iran--we had a very, very low level of
responding, almost zero deterrence. There was a exchange that
we had--I actually had with the former Chairman Clapper of
the--Director of National Intelligence. And I asked him
specifically, in an open hearing, if the United States
retaliated against China after China hacked into the Office of
Personnel Management and stole over 22 million SF-86 forms, our
top-secret national security forms of national security
intelligence people, including CIA operatives. He said no. He
said no. So, there was a broadbased consensus coming out of
that hearing, even among the witnesses--this is the end of the
Obama administration--that we were viewed kind of as the
world's cyber punching bag, meaning we got hit and almost
never--never hit back, and certainly weren't establishing a
policy of deterrence, meaning, ``If you come after us, we will
hit you back twice as hard.'' A state actor. Russia, China,
North Korea. Where do you think we are on that? Where do you
think the United States is viewed on that? Do you think state
actors who do cybersecurity--or cyberattacks on the United
States, whether it's companies or government agencies, worry
about the costs that could be incurred by a very substantial,
harmful American retaliation, whether it's overt or covert?
I'll just open that up to everybody. Because that
perception, I think, is a very important element to this whole
problem.
Go ahead. Mr. Eggers.
Mr. Eggers. Given that I often convene events and am
looking for people to respond to questions, I will help jump
in, here.
So, if I left the Committee and the folks watching this
hearing with one thing, it's that the Chamber is trying to
address, collectively, a challenge that we know we have. And we
have had some good experiences with working with NIST and other
parts of government to deal with IoT threats. And we're trying
to take a problem off the table.
Senator Sullivan. You don't think it's in the United States
interest to retaliate, either overtly or covertly, against
the----
Mr. Eggers. So, on the----
Senator Sullivan.--state actor who hacks----
Mr. Eggers.--on the----
Senator Sullivan.--into, say, your OPM system, and steals--
--
Mr. Eggers. On the deterrence piece, the Chamber's been
very vocal on the need for deterrence and pushback.
Senator Sullivan. And do you think we are viewed as a
country that will up the costs of somebody--a state actor--that
conducts cyberattacks against us?
Mr. Eggers. I think--and I'll finish one quick point--is, I
think one of the things that needs to complement the IoT cyber
baseline is to push back against bad actors who would hack IoT
devices and then try to get in the networks. The private
sector, we're going to be doing the defense work. We can't do
it alone.
Senator Sullivan. Right.
Mr. Eggers. One of the things we'd like to see more of is
deepening collaboration between voluntary industry groups,
parties, and parts of government that want to facilitate such
activity.
Senator Sullivan. Oh, I get it. It's hard for the U.S.
Chamber to go on offense. It's--but, it's not hard for the U.S.
Government to go on offense.
Mr. Mayer. You have a----
Mr. Mayer. I think----
Senator Sullivan. You want to----
Mr. Mayer. I think--sir, I think that's the point. I think
nobody, whether it's industry or government, wants to see the
United States as a punching bag in any----
Senator Sullivan. Do you think that was the view, though,
over the last couple of years?
Mr. Mayer. I don't know. We've been, certainly, victimized
by state aggression. And that's obvious. Whether they did it
out of fear or, you know, that--to show--you know, they did it
out of a motivation to obtain information and intellectual
property and other motivations. But, I think, first of all,
from a government policy perspective, we know that the mission
now of U.S. Cyber Command, it goes beyond just defensive. They
have authorities and capabilities now to move in the offensive
arena. I think----
Senator Sullivan. Correct.
Mr. Mayer. I think----
Senator Sullivan. And that's important.
Mr. Mayer. I--right. And I think it's industry's view that
we encourage the government to do whatever they can, because we
are often victimized. We're collateral damage in this
international geopolitical struggle. And anything that the
government does to help protect industry and support our
efforts to defend our networks and our customers is helpful.
Senator Sullivan. Thank you.
Senator Scott.
STATEMENT OF HON. TIM SCOTT,
U.S. SENATOR FROM SOUTH CAROLINA
Senator Scott. Thank you, Mr. Chairman.
So, China's been a bad actor for a long time. They've
stolen--they steal our technology, they don't give us the same
opportunity to compete there as we give them opportunities
here. Why--I'd like to hear from each of you--why don't we just
outlaw--why doesn't the government just say, companies like
Huawei, ``You can't do business in America. We know that you're
not acting in our best interests. We know you're part of the
Chinese government. And why would we allow you to not just--not
do business with the American government, but do business with
any company in this country?'' I--you know, you take my State,
utilities are pretty important. I wouldn't want them to do--you
know, logically, they shouldn't do business with Florida Power
& Light or any of these other companies. So, why don't we just
outlaw companies like that, that we know are bad actors?
Mr. Geiger. I'd say, to--setting aside the potential issues
with regard to our trade agreements--our existing trade
agreements, the key features for security don't really matter
where the device is manufactured and, you know, whether it's in
China or Vietnam or elsewhere. And if we want to ensure that we
have a strong baseline for IoT that protects people around the
world--because the security of IoT outside of the United States
also has a great effect on the security of the United States--
then I think that, rather than banning companies, we should be
looking to establish a baseline of security for IoT to have
access to our market.
The--one of the botnets that was mentioned earlier, the
Mirai botnet, many of those devices actually were outside of
the United States rather than inside. So, we do have an
interest in seeing security, worldwide, be strengthened. And
I'm not sure that banning the companies will achieve that as
effectively as saying--a baseline security requirement for
access to our market.
Mr. Bergman. Senator, thank you for the question.
In a global economy and a global ecosystem of the Internet
of Things, the intellectual property for the chip may be
developed in one country, the chip may be fabricated in another
country, the device built in a third country, then labeled and
marketed in a fourth country, and sold in a fifth. In this
merged global ecosystem, CTA's focus is on the security of the
devices, themselves. And we're working with our partners at
CSDE, working with NIST, working with the large number of
partners that we've brought together for the consensus, the C2
consensus that I described in my opening statement, which was
core baseline security for the Internet of Things on a--an
industry basis, parallel tracking what NIST is doing, and
coming up with very similar responses to what NIST is coming up
with. Overall, we feel that that is the fastest, most
efficient, quickest way to get us to a more secure Internet.
Mr. Eggers. Senator, to respond, I think we've got a number
of organizations in government and industry looking at how to
mitigate threats from foreign nations. At the Chamber, we're
very much interested in expanding commerce globally. We're not
looking to be, let's say, ``dragon slayers.'' Everyone's
cognizant of companies that are problematic. And I think
organizations have been very clear about what they're willing
to accept and not accept. In terms of building out, let's say,
the IoT 5G space, we're very mindful of the risks. I will tell
you that for sure.
You know, I think one of the things that the Chamber is
very mindful of is, having organizations that need to do
business globally. When we think about attempting to blacklist
companies and so forth, I understand that. I do. I just don't
know how that is sustainable, long term, when certain countries
aren't going anywhere, maybe their companies aren't. But we're
very mindful about what the playing field is and who's playing
on it and what may need to be done. And we're interested in
what happens with the new Federal Acquisition Security Council
to see what it plans to do with respect to companies that are
domiciled in certain countries.
Mr. Mayer. Senator, I think one of the things we want to be
careful about is that there--we're in an area, here, where
there are no silver bullets. And I think, in the area of IoT,
if we eliminated all the product from the company you've
described, I doubt we would be any more secure, from an IoT
perspective. There are other manufacturers that are delivering
products that are not secure and are vulnerable to attacks in
other countries. They sell them globally. That's part of the
challenge we face.
Having said that, I would say that our members, in
particular--USTelecom members--are very cognizant of the
security--national security issues that have been raised over a
period of many years with respect to the company that you had
mentioned. Starting in 2012, with the Senate Select
Intelligence Committee putting providers on notice that there
were issues here, all the way to recent reports from the U.K.,
as well as the United States position with respect to concerns
about national security. And therefore, we're not deploying it.
So, we, in industry, really cannot always wait for the
government to come up with a clear position. And, you know, the
NDA made--NDAA made some progress in this area, but it--it's
limited in its coverage. Yet, we have to decide, as an
industry, that we're not going to take on the national security
risk. And I think there are a lot of areas when an IoT--the IoT
work that we're doing, in particular, is an area where, yes,
we're watching closely what's happening at NIST and other
standards bodies, but we've decided that we needed to get in
front of this, we need to collaborate together, we need to
understand what the global landscape looks like, what other
governments are doing, and how do we advance the security
objectives, in partnership with government, but also
independently.
Senator Sullivan. Senator Sinema.
STATEMENT OF HON. KYRSTEN SINEMA,
U.S. SENATOR FROM ARIZONA
Senator Sinema. Thank you, Mr. Chairman, for holding this
timely and important hearing.
Every day, the Internet of Things, or IoT, continues to
expand in the United States. And IoT devices are becoming
increasingly common in areas on our homes, such as smart
speakers, smart light bulbs, wearable technology, driverless
cars, and smart door locks. And, given Arizona's weather, it's
no surprise that we love smart thermostats, too. Beyond
personal use, the IoT is used extensively in industry, where
IoT devices can make production lines more efficient and track
components through the manufacturing and delivery process.
As of 2018, there were over 7 billion connected devices
globally, and studies estimate that number will balloon to 25
billion by 2021. These devices can improve both our lives and
our economy, but the unprecedented access into our personal
data and confidential business information requires us to
rigorously review the cybersecurity protections of these
devices.
The weakest technology component, such as certain unsecure
IoT devices, can be access points for intruders to our home,
business, and our government networks. During a 2018 hearing,
the Director of the Defense Intelligence Agency stated that IoT
devices are one of the, quote, ``most important emerging
cyberthreats.'' And right now, we do not have national security
standards for IoT devices. That means the individual device
manufacturers have the discretion whether or not to include
security features.
But, these issues are so important for my State, because
Arizona has a blooming tech sector, lots of highly educated
workers, and cutting-edge companies working in the IoT space,
and we're developing the IoT technologies of the future.
Researchers at Arizona State University are testing wearable
devices for our troops to communicate with each other in
combat, and local cybersecurity companies are working to
mitigate the cybersecurity threat of IoT devices.
But, our country needs to do a better job developing IoT
cybersecurity standards, educating users, particularly elderly
users, about the cyber risks and solutions for devices, and
increased transparency for consumers.
So, my first question is for Mr. Eggers. In your testimony,
you discussed whether customers will be able to identify a
device with strong cybersecurity protections without a
nonregulatory tool. So, your testimony also questions whether
consumers would be willing to pay a premium for these
additional security features. So, how important are
transparency, labeling, and education related to IoT
cybersecurity? And how can we best ensure that consumers,
particularly elderly Americans, understand the safety features,
or lack thereof, of the devices they purchase?
Mr. Eggers. Senator, thanks for the question.
I think your constituents in Arizona would very much
welcome the kind of effort on this core cyber IoT capabilities
baseline. They would see it as something that speaks to them
and would be helpful in securing new devices.
I share your thinking about how we figure out, let's say, a
strong device from a less strong one. Right now, we're focused
on the technical specifications to grow consensus with folks
here at the table. One of the things we're also thinking about,
What comes next? That is, how we help buyers, consumers,
households, universities, and governments understand and
discriminate among devices in a positive way. I think what
we're going to probably look to next is figuring out,
collectively, how we do that. It's easy to say that we will
talk about issues like labels and marks. They can be fraught
with different perspectives. One of the things we're going to
try to do is figure out what helps solve that problem. And the
goal is to help your constituents, young or elderly, go to the
store, shop online, and identify strong devices and buy them.
Because I think, if anything, that benefits the entire
ecosystem. I don't know exactly what that's going to look like,
to be honest, but that's one of the things we're thinking
about, how we do that well.
Senator Sinema. Thank you.
So, my next question is both--again, for you and for Dr.
Romine--but, I welcome the thought of witness--other witnesses.
If Arizonans are concerned with the cybersecurity of their
devices, what steps should they take to minimize their
cybersecurity risks today in the marketplace?
Mr. Eggers. Mr. Romine, you want to take that? Or I can.
Dr. Romine. It's pretty challenging, I think, for
individuals to be able to understand the level of risk
associated with products that are currently on the market. I
think one of the things that we can do, and one of the things
that NIST is trying to do, in partnership with the private
sector, is to spread greater awareness of, perhaps, security as
a different shading factor among different devices. But,
there's still a lot of work to be done in that area. I think we
can do more.
Mr. Eggers. Senator, the Chambers has had for a number of a
years, probably a decade or so, programs where we go out and
visit local chambers and bring in universities, State
governments, and so forth, to talk about things like the NIST
cyber framework. I anticipate that IoT cyber will be part of
that. We will be promoting the baseline.
It's interesting, I just bought a new HVAC system for my
home, and one of the things that I was able to get was a smart
control. And I asked, ``Tell me about the cybersecurity of this
device.'' And I didn't get as much as I wanted. And suffice it
to say, I kind of kidded with the person selling it. I said,
``You know, I'm in the process of trying to figure this out.''
I added, ``I want to come back to you in a couple of years, if
not less, and work with you on some means of being a more
educated consumer.''
But, I do think that that is the kind of thing that we are
going to wrestle with and seek and provide solutions. If
anything, from our vantage point, we have to for the
marketplace to work well.
Senator Sinema. OK.
Thank you.
Senator Sullivan. Senator Fischer.
STATEMENT OF HON. DEB FISCHER,
U.S. SENATOR FROM NEBRASKA
Senator Fischer. Thank you, Mr. Chairman.
Mr. Bergman, does a coordinated effort among industry,
academic, and government stakeholders, such as in the working
group outlined in the DIGIT Act, play a key part in enabling
both innovation and security development for the Internet of
Things?
Mr. Bergman. Thank you for the question, Senator.
CTA has been involved in a number of coordinated activities
in the public/private basis and throughout industry. We are
finding that the nature of cooperation and the direction of
travel of the different efforts tends to be moving in the same
direction, and the nature of cooperation has been fabulous.
As I mentioned before, CTA, working with CSDE, convened 18
large organizations, each of which has its own block of
technical experts. These conveners convened under one roof,
brought in each of those groups of technical--each--the
expertise of each of those groups, and together we were able to
forge a baseline security consensus, which we then went off and
spoke with NIST about and found that our baseline was coming in
very, very similar to theirs. And then, immediately after that,
NIST went off to international meetings to promote the U.S.
interests.
So, I would say that the public/private partnership, the
work that we've done so far within industry, with civil
society, with retailers, who are now asking for consistent
industry-accepted, government-approved ways of conveying a
message of cybersecurity between they and their vendors, the
manufacturers, how to get that into supplier-vendor agreements.
The fact that we've got UL as part of this overall effort, CTIA
also has a robust certification process--assessment and
certification process--it's all coming together in the--kind of
the same direction.
So, I appreciate the opportunity to talk about this. And I
have to say, there's plenty more. And be happy to follow up
with your office separately.
Senator Fischer. So, from your comments, I would say you
believe we're moving in the right direction.
Mr. Bergman. Yes, absolutely. I----
Senator Fischer. My question, then, is----
Mr. Bergman. I beg your pardon.
Senator Fischer.--are we moving quickly enough?
Mr. Bergman. I believe we're moving in the fastest possible
way. When market forces are pulling, the government is pushing,
industry is pushing, everyone is working together, I believe
that is the fastest, most efficient way to move. And, by the
way, we would like to commend the Commerce Committee for their
work in supporting NIST. We're big fans of NIST and NTIA, in
the work that they're doing, and the support that this
committee and the--that this committee has shown has been----
Senator Fischer. OK, thank you.
Mr. Bergman.--very helpful.
Senator Fischer. Thank you.
Mr. Eggers, I'm glad that the Chamber of Commerce also
endorsed the DIGIT Act several years ago. We appreciated the
Chamber voicing its support for the bill again last year at a
House committee hearing on the Internet of Things. You had a
colleague that testified there.
In your testimony today, your--you have highlighted the
importance of elevating U.S. policy on IoT. Given the
development of IoT cyber proposals globally and at the State
level, can you speak to the particular importance of how a
national strategy, informed by relevant stakeholders, could
better position the U.S. as a leader in IoT in the long term?
Mr. Eggers. Senator, thank you. And, by the way, that was
our Chamber Technology Engagement Center, so that was their
good work. I'll share that with them.
To your point, are we moving fast enough? I think we're
moving as quickly as possible. Speed has been on our minds, and
we have been trying to push this effort as fast as possible. I
think one of the things we may end up doing is----
Senator Fischer. So, how are we going to be leaders,
globally? How are we going to be leaders, globally, in this----
Mr. Eggers. I think we're going to----
Senator Fischer.--country? How do we move forward?
Mr. Eggers. Once we develop the baseline--. . . one of the
things that concerns me is the fragmentation issue. We've seen
states having their own approaches to IoT cyber. We see foreign
countries, regions--the EU, in particular--having a cyber
certification--voluntary cyber certification program for
devices and other parts of ICT. What I think we are looking to
do is to complete initial work on this baseline and try to get
others, at home and in places like Europe, working with groups
like ENISA, to embrace the cyber baseline. What we're trying to
say is that the baseline is good for them--their countries,
their devices, and their companies. It's also good for us.
Congress wants strong devices. And they should. One of the
things we're trying to deliver is a baseline that's technically
sound and it's got buy-in from the business community and,
hopefully, policymakers. Because it's industry driven, we've
got groups like NIST working with us, and we can improve and
revise on it over time.
Senator Fischer. When you look at--if I could, Mr.
Chairman--just a yes-or-no answer--when you look at the
standards that are coming out on a State-by-State basis, and
the potential for that in the future, do you believe that that
would increase cybersecurity risks?
Mr. Eggers. I think what it tends to do is----
Senator Fischer. Yes or no. I promised the Chairman.
[Laughter.]
Mr. Eggers. Yes.
[Laughter.]
Senator Fischer. OK, thank you.
Thank you.
Senator Sullivan. Was that a yes?
Mr. Eggers. Yes.
Senator Sullivan. OK----
Senator Fischer. It was a yeeessss.
Senator Sullivan.--there we go. All right. There we go.
Senator Markey.
Senator Markey. Thank you, Mr. Chairman.
Mr. Geiger, Mr. Eggers said that, when he was shopping and
he talked to the salesperson, the salesperson didn't know
anything about what the standards of cybersecurity are. And, as
a result, Mr. Eggers can't know. So, if the salesman doesn't
know, and the company hasn't told him, and he's out shopping
for some device, whatever it might be, that creates a huge
black hole into which consumers continually fall, and their
families become more vulnerable. So, have we reached, like,
crisis proportions, in terms of the absence of cybersecurity
protections built into these devices across our country, Mr.
Geiger?
Mr. Geiger. I'm not sure if we've reached crisis
proportions, but----
Senator Markey. Pick a word.
Mr. Geiger.--but it's serious.
Senator Markey. OK. Serious.
Mr. Geiger. It's very serious. And on the issue of consumer
awareness, we think that that is a vital component of
comprehensive cybersecurity protections that should apply to
IoT as well as other services. When I think about my mother--
she's a very smart person, but technology is not her thing. The
idea of me, you know, telling her to go into her router to--
into her IoT devices to check for a default password, and
possibly change the password, you know, check and see whether
or not your IoT device encrypts your personal information--
these things are just not realistic. What I can tell her is,
look for a seal, look for a label. And it will be weird if we
end up in a situation in the United States where the label I'm
telling her to look for comes from the EU Cybersecurity Act,
which will have certifications--in particular, for IoT. I'd
like to see something like that in the United States.
Senator Markey. So, that sounds a lot like the Cyber Shield
Act that I haven't introduced yet this year, but, you know,
would give that information, and it would act like the ENERGY
STAR program. So, you walk in, you look at the refrigerator,
you look at the stove, and then it's--is it five, four, three,
two, one, in terms of energy efficiency? Right? That's really
what you're looking for. How much is this refrigerator going to
cost me over the next 15 years? You know? And I'm willing to
buy some energy efficiency now, because I'll save money in the
long run, in terms of the refrigeration cost. So, then you can
make up your own mind on this.
So, what do you think about that approach, this legislation
that I haven't introduced yet, but that kind of would provide
that kind of information to consumers?
Mr. Geiger. So, we're strong supporters of the approach,
and note that there are a number of other programs that have
been successful, like it, in the past. ENERGY STAR is one. The
recycling symbol is another. Nutrition labels. I mean, these
things can be effective if there's enough adoption. Failure to
adopt across the private sector would--you know, will just
result in failure of the program, sort of like what we saw with
the trustee label, some years ago. So, we are supporters of the
approach, and we think that it can make a difference, but it's
not the only thing that we think should happen to improve IoT
security.
Senator Markey. Right. But, it--that--but, this legislation
would create an advisory committee of cybersecurity experts
from academia, industry, consumer advocacy communities, and the
public to create cybersecurity benchmarks for IoT devices. And
it's a very similar process that many of our witnesses are
undergoing and applauding here today. And then, IoT
manufacturers can voluntarily put up their own five, four,
three, two, one--all voluntary, but then suffer in the
marketplace if consumers think that it was misleading.
Mr. Geiger. And we note----
Senator Markey. So, the----
Mr. Geiger.--we note that it's voluntary, and that it's
based on industry standards and best practices. And we think
that's a good approach.
Senator Markey. And then the industry participant is--has a
choice of picking that level of security.
Do you think that makes sense, Mr. Bergman?
Mr. Bergman. Thank you for this--the question, Senator.
I was trying to puzzle out the relationship between
changing default passwords and a label. I know that this label
proposal has been discussed. We----
Senator Markey. It would be voluntary, and it would be done
in conjunction with industry participants. Could you support
that?
Mr. Bergman. We've--we're currently supporting an industry
effort on baseline security that's worked--working public/
private partnerships with NIST. It is parallel tracking what's
being done there. It's being mapped to what's being done in
Europe. We feel that that's the fastest, most efficient, best
way to get to a more secure Internet.
Senator Markey. Yes.
What do you think, Mr. Mayer?
Mr. Mayer. I think----
Senator Markey. Under that system, will consumers have
five, four, three, two, and one stars? Will they have some--Mr.
Bergman, will that system--the system that you're talking
about, that you're working on, would Mr. Geiger's mother or Mr.
Eggers be able to see it's five, four, three, two, one, in
terms of----
Mr. Bergman. Well, let me--thank you for the question,
Senator. Let me say that we--we're very appreciative of the
enthusiasm on solving these problems.
Senator Markey. No, I know that.
Mr. Bergman. And----
Senator Markey. I'm not----
Mr. Bergman.--education----
Senator Markey. I'm just looking at--what would the
consumer see in Best Buy? Would--do you want them to be able to
see that it's five, four, three, two, one, with one being the
least security? Do you want that for the consumers?
Mr. Bergman. The best way----
Senator Markey. Do they have something----
Mr. Bergman.--I guess the best way I can----
Senator Markey. If they're going to fork over----
Mr. Bergman.--the best way I can answer this is----
Senator Markey.--600 bucks, should they be able to know its
energy efficiency, you know, the----
Mr. Bergman. Yes, the----
Senator Markey.--if you star--should they know what the
cybersecurity are?
Mr. Bergman. Absolutely. The problem with the comparison
with ENERGY STAR, Senator, is that the--is, energy is very
easily measured; whereas, cybersecurity is not. And what we--
when we talk about a mark or a label or something like that--
using the smart television example, if I go in to buy a smart
TV, there's a 4k Ultra HD logo, there is an HDMI, there's a Wi-
Fi logo, there's a Bluetooth logo, there's SD card logo,
there's high dynamic range. Consumers have a little bit of logo
fatigue. So, we find that the best and strongest approach is
for the manufacturers, the retailers to take their burden and--
--
Senator Markey. Well, how about this? If the device, which
the person purchased patches, would the industry then say,
``We're going to patch the device to the highest standards as
soon as it develops''--would that be----
Voice: Could I offer----
Senator Markey.--would that satisfy it?
Voice: Could I offer a thought?
Senator Markey. Well, just let me finish with Mr. Bergman.
Would that satisfy----
Mr. Bergman. Absolutely. Thank you for the question.
Senator Markey. If it could----
Mr. Bergman. So----
Senator Markey. If it could patch----
Mr. Bergman. So, NTIA has done an excellent job on
patchability. We're very interested in the results of that,
because patchability is a significant challenge, in terms of
actually executing. There's a number of----
Senator Markey. If it could be executed, would you support
it? If it could be executed.
Mr. Bergman. Sorry. Could you put a finer box around what
we would be supporting? Could you say again?
Senator Markey. You'd be supporting a patch standard that
protected against the vulnerability that was identified. Would
you--and we could do that--would you support it?
Mr. Bergman. Well, thank you for the question, Senator.
Senator Markey. And then----
Mr. Bergman. I would have to----
Senator Markey.--the consumer----
Mr. Bergman. I believe----
Senator Markey.--and then the consumer would know----
Mr. Bergman. I believe we'd have to review it before we
could----
Senator Markey. Yes, I thought so. Yes.
So, we're trying, here, honestly, just to have something
that matches the urgency and gives the consumers--Mr. Eggers--
the information--or Mr. Geiger's mother--the information they
need at point of purchase.
Voice. Could I offer----
Senator Markey. And then, if the technology can be
developed, NIST maybe could tell us that you can patch the
vulnerabilities, then that should be pretty easy to measure as
to whether or not that, in fact, is working.
And I'm sorry, Mr.--I'll come back to----
Senator Sullivan. That's all right. I'm going to--we'll do
another round. I'm going to--out of courtesy to Senator
Blumenthal, I'm going to turn to him now.
Senator Markey. I apologize.
STATEMENT OF HON. RICHARD BLUMENTHAL,
U.S. SENATOR FROM CONNECTICUT
Senator Blumenthal. Thanks, Mr. Chairman.
And you'll have to forgive me, gentlemen. It's not directed
against you, personally, but I have a very strong feeling of
impatience and frustration as a Connecticut consumer, not to
mention public official, because, listening to this
conversation, one could conclude that it's the first time we're
having this kind of discussion. Really. And I can tell you that
there is a tidal wave of anger and alarm building out there,
with very good reason. Some of it's been reflected in the
questioning today. But, to answer the question, Are we in a
crisis?--Mr. Geiger, the answer is yes. Are we moving fast
enough?--Mr. Bergman, the answer is no. And that's why, on a
bipartisan basis, members of this committee and others are
trying to formulate privacy legislation that will offer the
kinds of protection that Senator Markey has been discussing
with you. The pace is simply too slow. I could characterize it
in other ways, but, right now in people's homes, there are
insecure devices that are transmitting information about what
their children are saying, what their hours of awakening are,
what kinds of usage they have of their homes. There is
automated software out there to simplify hacking. It's
available on Amazon, 20 bucks. Twenty bucks. It isn't moonshot-
type technology. And, for all the conversations that have been
going on for the last decade, there are little more in the way
of safeguards or information available to consumers than there
was a decade ago. And that's why, I think, there will be
government intervention. The voluntary approach is failing, or
has failed. And I think that there has to be stronger
attention, with a sense of urgency that the subject demands.
So, I want to ask a couple of very specific questions. I am
assuming that you would agree that default passwords to access
IoT devices should be prohibited as part of these standards.
Anybody disagree?
Mr. Geiger. The--I think the issue is not just that it's a
default password. But, if the default password is shared across
many devices, that's the problem.
Senator Blumenthal. Well said.
So, I'm--I've got a lot to cover in very little time, so--
I'm sorry, Mr. Mayer, did you have a comment?
Mr. Mayer. No. I think you were going to say something.
Mr. Bergman. I simply wanted to point out that we--some of
these topics are very complicated when they go into execution.
So, for example, password doesn't necessarily cover biometrics
like fingerprints, which doesn't cover facial recognition.
There's many different aspects of these topics, which is why we
feel that industry, working in a voluntary consensus basis, has
the agility to deal with these topics.
Senator Blumenthal. Mr. Mayer?
Mr. Mayer. Sir, I'd like to just provide some perspective,
here, because we've been talking--thinking about where we are
today as a snapshot, but let's talk about----
Senator Blumenthal. Well, I will give you my questions----
Mr. Mayer. OK.
Senator Blumenthal.--and then I'll give you the opportunity
to respond. But, I--I'm limited, in terms of time. And, in
deference to my colleagues who are arriving, I just want to
cover these questions.
I'm assuming that all of you would agree that companies
ought to be expected to provide two-factor authentication to
secure access to IoT devices. I'm assuming that you would agree
that they should be easily and automatically updated with
security patches. You're shaking your heads? I'm disappointed.
Mr. Bergman. Thank you for the question, Senator.
The challenge--just going back to the two-factor
authentication, usually we would talk about multi-factor
authentication. Again, it gets to be kind of complicated when
we start trying to execute the will of whoever is setting the
policy. But, the challenges of doing these things, when, out
there in the field, it's actually moving pretty quickly, it's
very dynamic. We say that innovation moves at light speed, and
this is, unfortunately, one of the consequences of having a
very fast, innovative economy in the Internet.
Senator Blumenthal. Well, I'm going to give you an
opportunity to respond, but let me just make this final
observation. Two points.
Number one, going back to Senator Sullivan's point about
foreign interference, here is an example of our being way too
complacent. The Russians, as I have said repeatedly, are
committing attacks--indeed, acts of war--on this country. And
our defenses are way too late and way too slow. And you could
be of assistance in that effort. But, complexity and
technological advance are probably true, but the question is,
Are we going to have action? And who will impose standards if
you are unable to do so, which, so far, has been the case? And
I realize that you're in a better position, maybe, to do it, if
you do it, but delay, in terms of protection, is protection
denied, so to speak.
Mr. Geiger. Senator, we agree with you and share your sense
of urgency. We strongly encourage you and your colleagues to
pass data security legislation for personal information that
will apply to some of the scenarios that you've described, and
also to urge Federal agencies to describe how IoT fits within
their existing authorities, and exercise your oversight role to
ensure that their efforts are effective at strengthening IoT
security. We think that those are things Congress can do now,
they're part of ongoing debates that are already happening, and
we think that it will make a difference.
Senator Sullivan. Senator Klobuchar.
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. Thank you very much, Mr. Chairman. Thank
you for holding this very important hearing.
According to IoT analytics, there were 7 billion connected
devices in 2018. And that doesn't even include smartphones and
tablets, laptops, and fixed phone lines. And IoT devices, I
think we all know, will continue to change the world around us,
but these cybersecurity challenges are numerous. And, as I
think you're hearing the frustration of some of the members up
here, at some point we have to decide as whether it's worth it
for some of these devices if they are actually hurting the
security of America.
I mean, this story--earlier this year, a couple in Illinois
discovered that a hacker was talking to their baby and yelling
racial slurs and obscenities through their Nest security
camera. Families in Texas, Pennsylvania, New Jersey have
reported similar terrifying incidents. In response, Google,
which owns Nest, claims a system was not breached, but that
hackers were able to access the cameras because the consumers
used compromised passwords.
I know you said, Mr. Geiger, that passwords are not
sufficient, when discussing this with Senator Markey. Now, of
course, I don't know how the consumers are supposed to know
this, because they're just buying a device, spending money on
it, and then they tell them to get a password, they try to get
the best password they can, but this still happens. So, this is
our frustration here.
You'd highlighted how weak credentials could make these
devices vulnerable. Do you believe that IoT devices in people's
homes should be required to rely on something stronger than a
password for remote access?
Mr. Geiger. I think that the security protections that
should be in place should be commensurate with the risks. The
IoT device, when it ships, should not have weak credentials.
But, then, if the consumer is changing the IoT password that is
particularly weak, then that becomes a consumer awareness
problem. I think that it's important for government to protect
consumers when they can't protect themselves, and that includes
making sure that, when the device leaves the warehouse, it has
basic security features.
Senator Klobuchar. So--but, you would think it's possible,
as we look at what legislation we should get passed here--we
have no privacy legislation really in place federally, which
also includes other data breaches and things like that--that
it's possible we should put together some legislation on this.
Mr. Geiger. Senator, I think that security should be part
of the privacy legislation.
Senator Klobuchar. OK.
Mr. Geiger. At least security for personal information. It
will cover some of the IoT deployments that you mentioned. It
may very well cover the Nest camera scenario that you
described. It will not be a complete solution, because there is
no silver bullet for IoT.
Senator Klobuchar. OK.
Mr. Geiger. But, including data security in privacy
legislation will be very meaningful to consumers, and will have
an impact on IoT.
Senator Klobuchar. Should device makers be required to
respond to good-faith reports of vulnerabilities from security
researchers? We've heard that about half of the companies can't
even detect if and when their IoT devices have been breached,
leaving the devices vulnerable. And this is from a security
company. Should they be required to have the capability--a
second question--to automatically deploy security fixes to all
their devices?
Mr. Geiger. Thank you for the question.
For--we do think that it's critical that companies have a
process in place for responding to vulnerability disclosures
from independent researchers and other external sources.
Independent researchers are often a very valuable source of
finding known vulnerabilities in products, and communicating
those to the manufacturer. And if a manufacturer is out of
business or if the manufacturer doesn't have that process, then
the vulnerability just gets left unaddressed, in many
circumstances.
Senator Klobuchar. So, then you believe there should be a
process to encourage companies to build security also into
their IoT devices--not afterwards, but before?
Mr. Geiger. Absolutely. And we think that one way to
encourage companies to do so is with data security and privacy
legislation, and encouraging agencies to articulate how IoT
fits within their authority--their existing areas of
jurisdiction, and to do so effectively.
Senator Klobuchar. The last thing I'll ask about. My
colleagues were relating this, understandably, to international
security. And we know that the deployment of 5G networks--this
will be for you, Mr. Mayer--we know that the deployment of 5G
networks is critical to the adoption of IoT devices. But, the
cost of deployment is always a problem in rural areas, just
because of the costs, and they're far away, and----
Huawei and ZTE, Chinese companies that we know our
intelligence agencies have identified as national security
risks, have been used by small rural carriers, since they are
cost-effective providers of equipment. According to the Rural
Wireless Association, it would cost 800 million to 1 billion to
all of their members to replace Huawei and ZTE. I don't know if
that's accurate. That's what they're saying. How can we then
ensure, if we're going to deploy 5G in rural areas, which we
all want to do, especially those of us with extensive rural
areas, but if we're going to start using carriers that we can't
trust? Answer that question for me. How can we ensure that 5G
is deployed in rural areas without compromising network
security?
Mr. Mayer. So, I can't speak for the rural wireless
carriers. I can speak only for our members. But, I can tell you
that, as I indicated before, our members are aware of the
national security interests that have been raised with Huawei
for many years, which is why they've been careful to avoid that
particular deployment. The costs that you speak to are real. We
know the economics in rural areas for deployment of
telecommunication services are different than they are in urban
centers. The best thing that we can do to make 5G available in
those areas is to continue to push fiber optics as far into the
rural areas as possible, because we're going to need that
backhaul----
Senator Klobuchar. Oh, I agree.
Mr. Mayer.--capacity.
Senator Klobuchar. I'm all on board on that.
Mr. Mayer. And we need the help of the U.S. Government in
supporting those efforts----
Senator Klobuchar. And I'm all in to funding more for
broadband. I have no idea why we--the rural backbone isn't
there, when we have it in places like Iceland----
Mr. Mayer. Yes.
Senator Klobuchar.--in general, and the phone network, and
everything else. But, we have to figure out--make sure that
we're not impinging on security when we do it.
Mr. Mayer.I--we completely agree with you on that, and we
have emphasized security in all of our engagement----
Senator Klobuchar. OK.
Mr. Mayer.--with government.
Senator Klobuchar. And then, I'll just put onto the record,
so that my colleague, Senator Cantwell, can ask questions, just
questions about our work force, in general. Senator Thune and I
have a bill to allow for more private-sector back-and-forth
when it comes to our work force, and allowing some of our
workforce to get trained out of the government so we can better
check these things. And then, also, I have a precision
agriculture bill. And it was actually signed into law, the
Precision Ag Connectivity Act. And I'll ask those on the
record.
So, thank you, all of you.
Senator Sullivan. Senator Cantwell.
STATEMENT OF HON. MARIA CANTWELL,
U.S. SENATOR FROM WASHINGTON
Senator Cantwell. Thank you, Mr. Chairman. Thanks for
having this hearing. And I appreciate my colleagues' good
questions, here.
Mr. Romine, I want to thank you for NIST's work and for
your work on guidelines and standards, writ large. And, since
you are that person, I wanted to ask you, What did you--what do
you think we need to be doing on the standard-setting on an
international basis on IoT technology so we have harmonization?
What's the best path for that?
Dr. Romine. Thank you, Senator. And thanks for your
appreciation for our work. We're fiercely proud of the work
that we do, so I'm pleased to hear you----
Senator Cantwell. Well, it's--yes, I could go, chapter and
verse. It's--people may not understand it, but it is how we
move forward, and it's how we create the standards.
Dr. Romine. Right.
Senator Cantwell. And, guess what? If the United States
creates the standards, then, chances are, other people are
going to follow them. So, that's why----
Dr. Romine. Absolutely.
Senator Cantwell.--the work is so important. And,
obviously, interoperability, writ large, is also a big issue,
because that way we can have people standardize on certain
technologies, and then have the interoperability. So----
Dr. Romine. Right. So----
Senator Cantwell.--thank you.
Dr. Romine.--we are engaged with our partners in the
private sector in the area of standards development. In many
cases, we are working alongside our partners at the National
Cybersecurity Center of Excellence to promote guidelines for
improving the security of IoT devices.
One of the things that probably hasn't come out enough,
perhaps, in this is the context of use of some of these
devices. For example, some of the work that we've done at the
NCCoE with our private-sector partners involves improving the
security of wireless infusion pumps. These are things that are
actually administering drugs to patients in a hospital setting.
It's terrific that they're wireless. You reduce transcription
errors and possibly reduce medical errors as a result. However,
the concern about those devices being unsecure and an entry
point into the enterprise network of a hospital, for example,
is significant. And so, we undertook that kind of project at
the NCCoE.
Something like a wireless light bulb, for example, is an
entirely different context of use, not nearly as critical as a
wireless infusion pump, for example, to life and limb.
Nonetheless, the standards arena is one where I think we can
have a tremendous impact. And, as you know, and the Committee
here knows through the many long years of support for NIST's
work in standards, we don't actually manage the standards
development activities. This is a private-sector-led in the
United States. We support that activity, in partnership, and
continue to do so, including engagement with the 3GPP, for
example, that was mentioned earlier, of the 5G communications
capabilities that are going to support extensions of IoT. And
our folks are engaged--our NIST staff, our technical experts--
engaged in that international standards arena for 5G security.
Senator Cantwell. And where is most of that taking place?
What group?
Dr. Romine. 3GPP is the----
Senator Cantwell. OK.
Dr. Romine.--is the name of the--it's the third-generation
partnership.
Senator Cantwell. OK.
Dr. Romine. So, it's----
Senator Cantwell. And is that----
Dr. Romine. Even though it's 5G, it's--the name of the body
is still--is 3GPP.
Senator Cantwell. OK. And so, you think, for IoT, that's
still the place?
Dr. Romine. Well, that is one place where the new
communications technologies that will help enable broader
adoption of IoT is----
Senator Cantwell. More about----
Dr. Romine.--is being done.
Senator Cantwell.--places like IEEE and other
organizations?
Dr. Romine. IEEE is certainly another one. There are other
standards development organizations that we're engaged with, as
well. But, those are some primary ones. ANSI, you know,
generally speaking, coordinates these for the United States.
Senator Cantwell. OK. What--so, let me ask it differently.
On a scale of 1 to 10, what--how good do you think we are at
having established networks to solve cybersecurity challenges
on IoT as an international standard, not a national?
Dr. Romine. Scale from 1 to 10 is hard for me. I would say
it's--one of the most challenging things that NIST has is the
rating or the measurement of security. What I would say is--I
would look to the cybersecurity framework that NIST worked on,
in consultation and----
Senator Cantwell. Yes.
Dr. Romine.--in partnership with----
Senator Cantwell. Yes.
Dr. Romine.--the private sector----
Senator Cantwell. Yes.
Dr. Romine.--as an opportunity to spotlight the influence
that the U.S. has internationally on cybersecurity standards
and guidelines.
Senator Cantwell. Is that the approach? Because I know my
colleagues mentioned Huawei, or some of them have mentioned--
and maybe prior to getting here--and this is, like, a big
issue, right, as to what other people standardize on, as well,
and then is integrated into their system. So, if we have a
cybersecurity framework, which you guys have--NIST has done a
good job on--do we take that to--and do it in a bilateral
fashion, or do we do it in a multilateral fashion with
countries with already-established cyber frameworks, too?
Dr. Romine. So, we do both of those things. We promote
international engagement using the cybersecurity framework as a
tool for that. And we've had tremendous success. Numerous
countries have adopted or altered in some ways, but used the
basic framework of the cybersecurity framework that NIST worked
on with our private sector here in the U.S. And, I think, with
great success.
Senator Cantwell. Well, I see my time is expired, Mr.
Chairman. Thank you.
Senator Sullivan. Senator Moran.
STATEMENT OF HON. JERRY MORAN,
U.S. SENATOR FROM KANSAS
Senator Moran. Mr. Chairman, thank you. Thank you for
allowing me to join your Subcommittee today.
Let me start with Dr. Romine. I chair the Appropriations
Subcommittee for the Department of Commerce. That includes
NIST, as you know. I'm ensuring--I'm interested in ensuring
that you have the necessary resources. The administration's
budget is a $112 million reduction, less than enacted over last
year's FY19 levels. Would you expect this budget cut to impact
NIST's specific role in supporting its public and private
partnership on IoT cybersecurity research and standard-
settings?
Dr. Romine. The guidance that we received from the
administration during the development of the budget was to
ensure that we protected, to the largest extent possible,
certain programs that they viewed as high priorities. And that
included the cybersecurity program at NIST. And so, that--we
believe we can execute the necessary activities under our
cybersecurity program under the President's proposed budget.
Senator Moran. I hope that's the case. And we'll be
watching to make certain that remains the case, that what you
just testified remains true.
Really, a question for all. The subcommittee I chair in
the--in Commerce, we held a hearing last year on the private
industry's use of coordinated vulnerability disclosure
programs, including bug bounty programs to identify
cyberthreats. Many businesses and Federal agencies have found
utility in this approach, as the diversity, scale, and
expertise of cybersecurity research community can oftentimes
identify vulnerabilities that automated scanners and permanent
penetration teams cannot. Are there examples of connected
device manufacturers utilizing this type of cybersecurity
threat detection? And, if not, do you think it's a feasible
tool?
Mr. Bergman, you looked----
Mr. Bergman. Thank you for the----
Senator Moran.--anxious to speak.
Mr. Bergman. Thank you for the question, Senator.
Absolutely. What we're seeing is that a number of the more
mature manufacturers are not only using these techniques, but
they are growing beyond the basics. There's a metric out there
called BSIMM, Building Security In--Maturity Model, that we're
fond of. And this program includes major manufacturers, like
Qualcomm, Intel, other brand names that you would know from the
manufacturing--from the consumer technology industry, as well
as names from other consumer categories, the financial
industry, and so on. So, it really--it's really across the
board. And what they have is multiple levels. And the--what you
just described would--is what I would call Level 1. And there
are companies that are working at Level 2 and Level 3, where
level 3 is, they're using the intelligence that they get from
the coordinated vulnerability information in order to predict
the next threat before it is even detected. So, there's quite a
bit of work going on in that area, and it's been very
successful.
Senator Moran. Thank you.
Others? Mr. Geiger?
Mr. Geiger. Yes. So, I would agree with Mr. Bergman that
there are a lot of mature manufacturers that currently have
vulnerability disclosure policies and procedures. It is not
something that we necessarily see ecosystemwide. And we think
that's a problem. We think that it is very important for IoT
manufacturers to have an ability to receive disclosures about
vulnerabilities in their products from independent researchers.
This will help them to protect consumers by issuing a patch or
other mitigation.
We also think that this is something that government
agencies, governmentwide, ought to employ. But, there is a very
important distinction between coordinated vulnerability
disclosure and bug bounties. The distinction is that, for bug
bounties, it's usually limited in scope and time duration, and
the researchers are paid for that work. So, there tends to be a
large volume of disclosures, and it only applies to a certain
subset.
Even in--even if you have a bug bounty program, you should
have a baseline coordinated vulnerability disclosure program
that applies--it's just a process for receiving the
information. No--it doesn't necessarily mean that the
researcher will get a reward, but it means that there will be a
response and some sort of mitigation once the disclosure has
been submitted.
Senator Moran. Thanks for that explanation.
Mr. Eggers. Senator, if I may, just to add on to that.
We've worked closely with this Committee and the Senate
Homeland Committee, a couple of years ago on legislation called
the PATCH Act. And one of the things that's relevant here in
the coordinated vulnerability disclosure issue is, when there
are vulnerabilities discovered, vendors want those
vulnerabilities reported to them so they have time to create a
fix and push it out. I know that this committee and other--
others are looking at legislation that would leverage a CVD-
like program. On balance, we think that those are good. The
role of government in identifying and mitigating those
vulnerabilities is something that we're still looking at trying
to understand better and what flows from that. But, on balance,
one of the capabilities of the IoT cyber baseline is managing
such vulnerabilities, having a patching process, and so forth,
which I think is one of the fundamental things that we've seen
with bills.
And--they've departed, but I was just going to mention
that, with Senator Cantwell, Senator Blumenthal, a number of
things that they raised as concerns, I think the core baseline
will address those, and likely more.
Senator Moran. Thank you.
Senator Sullivan. Let me continue the line of questioning
that Senator Cantwell began.
Mr. Romine, let me just rephrase her 1-to-10 question. And
we appreciate the good work that all of you do at NIST, so
thank you for that. But, does the United States maintain an
international lead in both setting technical IoT security
standards? And how do we strengthen the role of the U.S. doing
that internationally?
Dr. Romine. Thank you, Mr. Chairman.
We do have a robust engagement in the IoT security
standards arena through the 3GPP. This is----
Senator Sullivan. So--but, we've been--my question is--I
think maybe I'm assuming something by asking it, but that we
have traditionally had the lead with regard to international
technical standards in the telecoms field. Do we--are we in the
lead, or have we maintained the lead, in setting the
standards--technical IoT cybersecurity standards, right now?
Dr. Romine. I believe we are. The----
Senator Sullivan. And how can we help you maintain that
lead? Isn't that important to everybody here?
Dr. Romine. So, I would say that the standards development
organizations that we engage with that are leaders in this
space are inherently meritocracies. That is, the very best
technical input, the soundest technical ideas, do ultimately
prevail. It's a bit of a messy process, but it does actually--
the currency there is technical competence and technical
excellence, and something that NIST and the U.S. industry
representatives are very, very good at, and still maintain
leadership there.
Senator Sullivan. And if we are----
Dr. Romine. The strengthening----
Senator Sullivan. Oh, sorry, go ahead.
Dr. Romine.--question--I'm sorry. I apologize. The
strengthening question relates to ensuring a robust ecosystem
of research so that we can continue to generate the ideas that
are necessary to continue to lead in the international----
Senator Sullivan. Yes.
Dr. Romine.--community.
Senator Sullivan. Let me ask this question. And it kind of
came up from Senator Scott's question. And it, of course,
relates to the concerns we have with Huawei and ZTE and what
they're doing, which is, I think, in some ways, competing
pretty dramatically, not only in terms of wiring the world, but
also setting the standards. And I know we also have the
European Union. To me, we want to maintain our lead in this.
But, there's a big difference. And some of you had kind of
indicated, ``Well, hey, they're all over. We can't--you know,
it is a business. We can't, kind of, discriminate against
them.'' But, it's a business that's actually infiltrated by the
Communist Party and probably the PLA, and it ultimately would
take orders from them. That's the way their system works. So,
I'm much less concerned about the EU. I'm much less concerned
about the pretty much any other entity in the world, because it
might be standards that we're not necessarily in agreement on,
but it's not a company that ultimately is run or would be
answerable to an entity--let's face it, we don't want the
Communist Party of China setting standards globally on the
Internet security of things. So, how do we make sure that--but,
when you say, ``most people--it's a meritocracy''--I think most
countries don't want standards set by the Communist Party of
China or the PLA. So, how do we use that to our advantage, I
guess is my issue? Because isn't that the main competition
right now? Or is it the----
Dr. Romine. So----
Senator Sullivan.--EU, or both?
Dr. Romine. Your concern, which is understandable, is
maintaining leadership of the United States in the standards
space.
Senator Sullivan. Globally.
Dr. Romine. Globally.
Senator Sullivan. Correct.
Dr. Romine. And what I would say is this. We do see
evidence of increased engagement in the standards arena by
China and other countries that are economic adversaries of
ours. In this case, though, what we haven't seen is definitive
evidence of a substantial increase in the impact of that
activity.
Senator Sullivan. OK.
Dr. Romine. So, representation is not the same as impact.
Senator Sullivan. That's important.
Let me ask another kind of related question. I was in a
meeting, just recently--very recently--that included a very key
African leader who is very knowledgeable in the private sector
with regard to international telecoms and 5G and some of the
topics we're talking about. Internet of Things, certainly.
Very, very knowledgeable, very influential. He mentioned to me
that, in the 5G world, if the entire continent of Africa said,
right now, ``OK, we will take and build out a system on the
continent that will be led by an American company,'' there's no
American company right now that could deploy 5G. He mentioned
that Africa might have 5G deployment from Huawei before we get
it in our own country. Is that true? And we're concerned about
this deployment of 5G globally in a competition with China,
particularly companies like Huawei and ZTE, but this
individual, very knowledgeable, was essentially saying to me,
``We don't have an American choice.'' What is the choice? What
is the choice for, not just Americans, which I care mostly
about, and Alaskans in particular, but people in Africa? What's
the choice? Do they have a 5G choice right now?
Mr. Mayer, you want to address that?
Mr. Mayer. Sure. I think supplier diversity with respect to
5G is a real concern, and one that I know our members care
about.
Senator Sullivan. But, is there an American company----
Mr. Mayer. There is no American company----
Senator Sullivan. And will there be one soon? We----
Mr. Mayer. Well, in the absence of some substantial funding
to get something like that started----
Senator Sullivan. Funding from whom?
Mr. Mayer. Well, that's the question. I----
Senator Sullivan. The big telecoms need a subsidy----
Mr. Mayer. No, no, no. I'm not talking about--well, no,
that's not what I'm saying. What I'm saying is that we've got
Nokia, we've got Ericsson----
Senator Sullivan. Right.
Mr. Mayer.--we've got Samsung. These are well-established
companies that are delivering products capable of supporting 5G
deployment.
Senator Sullivan. And not answerable to the Community Party
of China?
Mr. Mayer. Well, no, I don't think they're answerable to
the----
Senator Sullivan. OK.
Mr. Mayer.--Communist Party of China. And that's why those
are the vendors that will--you'll see involved in the
deployment in the U.S. But, you know, you'd have to go back all
the way to the days of Ma Bell and the--at a time when we were
developing manufacturing capabilities to support the--that
system. That's no longer here today.
Senator Sullivan. Just real quick. And I want to be
respectful to my colleague, here. But, why do you think we
don't--at least from a U.S.-company perspective, we don't even
have anyone--any entity that's ready for that deployment? We
are just asleep at the switch? Or----
Mr. Mayer. Well, you know, there's been convergence,
consolidation in that industry.
Senator Sullivan. OK.
Mr. Mayer. AT&T, Lucent, Alcatel, you can just follow the
chains, how global mergers resulted in moving that capability
to foreign companies. It's very difficult to start from scratch
today. It would be very costly to build in, let's say, unique
security considerations into those products that might be
higher than what the commercial standards are for the other
manufacturers. It's a dynamic that's very hard to recapture at
this point. We have to work closely with the existing vendors
and make sure that the security capabilities are built into
their products to our satisfaction.
Senator Sullivan. Thank you.
Senator Markey.
Senator Markey. Thank you, Mr. Chairman, very much.
This goes right to the sinister side of cyberspace, goes
right to the bad part of the whole thing. And we just have to
deal with it. And the industry can promise all the wonderful
things, and they can deliver that immediately, they can have an
algorithm from here to Osaka and back in a quarter of a second,
and they can brag about all that transfer of information. But,
when we ask them about cybersecurity, ``It's just so
complicated. We can't figure it out. We don't know what the
algorithm would be. Just so complicated to deal with the bad
side.''
So--and I had--I've had this problem before, with the
Consumer Technology Association, when I was trying to pass a
law that said that every TV set in America had closed
captioning, back in 1990. I just had this, ``Oh, my goodness
you don't know how complicated that's all going to be. You've
got to give us more time.'' Then in 1996, I wanted a V-chip,
you know, for violence and sex and language, built into every
TV set. ``Oh, it's going to cost $25. It'll get so complicated.
Regular consumers won't want it.'' Then in 2010, on whether or
not every wireless device is accessible to the deaf and blind
in America, ``You don't know how complicated it is. You've just
got to give us all this extra time.''
So, I've done this over and over again. And ultimately,
each time, you have to pass a piece of legislation, just say,
``Go get it done. Figure it out. You want to argue over 2 years
or 3 years to get it done? You want to argue over 6 months or 2
years? Argue over that, but don't argue over whether or not it
can get done.'' I can--because I've learned too many times,
just dealing with Consumer Technology Association, that's
always--it's never today, and it's not soon.
So, here's my fear. My fear--and let me ask you this, Mr.
Geiger. And thank you for Rapid7, you know, being here. Thank
you for what you're doing. If your mother's buying an HDTV set
today, and she's bringing it right into the living room, can
that set potentially be hacked and people are listening to her,
or even watching her, in the living room?
Mr. Geiger. Yes, it can.
Senator Markey. Now, how would she know that? Would the
salesperson tell her that? ``Be careful that--that TV set can
be turned into an actual camera, watching you, or that they can
listen to you.'' Does--would she know that if she was out
shopping today?
Mr. Geiger. Most salespeople are very knowledgeable, but my
experience with them has been that they have not been able to
tell me similar information when I have asked for products that
I buy, even high-end products, like an HDTV. There are certain
things that the user can do to protect themselves. Like, for
example, you should immediately update your television software
and so forth.
Senator Markey. Would your mother know how to do that?
Mr. Geiger. She would probably call me, and I would talk
her through it.
Senator Markey. No, I don't mean you.
[Laughter.]
Senator Markey. Her--the son she's so proud of, that has
such great tech skills. I mean an ordinary family. Would they
know how to do that?
Mr. Geiger. I don't--I can't speak for other families, but
it is--it's----
Senator Markey. I can.
Mr. Geiger.--it's a process, and it's----
Senator Markey. I will say that that's a very daunting
challenge for most families. And I know it's a daunting
challenge for history and English majors in college.
[Laughter.]
Senator Markey. Very daunting for us. We just look at it
and maybe, you know, I'll wait until the TV is 10 years old,
right?
So, would the same thing be possible for a microwave, that
that could also be turned into--if you can talk to the
microwave, could the microwave also be hacked by someone so
that they can be listening to your conversations in the living
room?
Mr. Geiger. At this point, every device ships with some
vulnerabilities. There is never going to be a--we're never
going to reach a situation where there is complete security. I
think that what is most important now is that we look at
preventing the most basic and unreasonable lack of security
that we see in some devices.
Senator Markey. So, you agree, though, that that TV set or
that microwave should have a five-star--four, three, two, one--
warning, in terms of the protection that's been built into that
set against being hacked.
Mr. Geiger. I think that that would be one very important
component. I think that another, as I've mentioned, is having,
both, agencies establish an IoT baseline within their own areas
of authority, and having security legislation that protects
consumers. This would shift--because part of the problem with
the label is that we also don't want to have to put the entire
obligation on consumers. It can't just be about consumer
awareness. There have to be things that are built into the
product as it leaves.
Senator Markey. That's what I'm saying, that they would be
built in. For instance, when I buy a car--if I bought a car 5
years ago, and it says five-star safety--four, three, two,
one--I know that, 2 years later, it's not the same standard as
it was 2 years ago, but I knew when I bought it that it had the
highest-possible security standard. And if I bought a car that
only had a one rating, I would know that, and it would probably
be even less safe now. But, I would know all that, and I would
internalize it, and I would make a decision as a customer. And
then what happened, of course, is, once we set up that system,
auto industry competed on safety. They want the----
Mr. Geiger. Exactly.
Senator Markey.--five star. With consumers smart enough to
know that 2, 3, 4, 5 years later, it might have advanced, but
at least you did your best for your family, your children, you
know, your loved ones in the car at the time. So, the same
thing is true here, except you can actually, in the Digital
Era, patch remotely----
Mr. Geiger. Right.
Senator Markey.--and bring it up to standard, huh----
Mr. Geiger. And we----
Senator Markey.--Mr. Geiger?
Mr. Geiger. And we think it's critical to have a
differentiator for consumer technology that is not just about
cost, but that is also about security. Retailers have adapted
to things like ENERGY STAR. If you go on Amazon and you try to
buy an appliance now, you can filter the search results by
ENERGY STAR. You know, I personally, as a consumer that cares
deeply about cybersecurity, would filter it by an energy
shield--or a Cyber Shield or other such differentiator.
Currently, that just does not exist that is widespread in the
ecosystem.
Senator Markey. Yes. So, my view----
I'm sorry, Mr. Chairman.
Senator Sullivan. Well, I'm--I was just going to--go ahead
and----
Senator Markey. I would just conclude by saying, from my
perspective, the least that we should be able to do to--for
families is to give them the safety information they need. And
if they want to shortchange their family because the extra
money hasn't been spent by the company on building in the
cybersecurity, or the security into an automobile----
Voice: Could I----
Senator Markey.--or an SUV to protect them, then that's a
family decision. But, at least--the least that we should be
able to say is that we tried, we really tried to get this
information to families across this country, that their
security is at risk. And that's why I think we just have to
build a mandate into this legislation and give them a deadline
to come up with a consensus.
Voice: May I----
Senator Markey. Otherwise, I just think it's an open-ended
take-home exam that will never be finished, and that's what
I've found in the past with the industry.
Senator Sullivan. I'm going to----
Senator Markey. OK. Sure.
Senator Sullivan. No, I want to--but, I want to give you
guys an opportunity to wrap. This has been a very good hearing.
You can tell Senator Markey has been focused on these issues--
and I respect him a lot--for most of his career. Like I said,
very interesting hearing. I'm not sure I've been at a hearing
where the witnesses talked about their mothers so much, so
that's kind of----
[Laughter.]
Senator Sullivan.--interesting.
But, here's my, kind of, final question for all of you. And
you all get to take a crack at this. I think you're seeing,
here, both sides, right, Republicans and Democrats, are--we
are--on the Internet of Things, as both of our opening
statements mentioned, great opportunities, but also growing
security risks, challenges, both internationally, but also,
importantly, to consumers. And making sure consumers have
confidence in what they're buying, I think, is very important,
not just to us, terms of the oversight role, but should be to
all of you. And I assume that it is.
So, one of the issues is labeling. OK? There were good
arguments, both sides, right? I thought the argument, ``Hey,
this isn't energy. It's a little bit more complex.'' Mr.
Bergman, I think you mentioned, ``This isn't energy.'' Right?
This is very complex. So, what else can we, or you, or the
combination of both, be doing to build consumer confidence that
the, you know, baby monitor is not being used as some kind of
twisted device to, you know, say things to young children that
every American thinks is abhorrent? Right? So, why don't we
just go down the line. And we'll start--and end the hearing
with each of you weighing in on that question.
OK. Go ahead, Mr. Romine.
Dr. Romine. Thank you, Mr. Chairman.
Senator Sullivan. Confidence. Consumer confidence. Big
picture. What do we--what should we be doing?
Dr. Romine. A big part of the stated purpose of my
laboratory at NIST is cultivating trust in IT. And to that end,
we work diligently in the cybersecurity arena to try to promote
that kind of trust through management of risk. That's our
mantra, is, How do you manage the risk? We do not solve the
cybersecurity problem, ``OK, it's fixed, we're done, let's move
on.'' It's an ongoing, dynamic arena.
That's certainly true in the IoT space. The reason we
established a formal program in IoT security a few years ago
was the mounting concerns about IoT as a completely different
type of IT device that needed to be understood in the context
of its use and because it was going to be so pervasive. You
talked about billions of devices. The sheer scale of this
problem is different than anything we've seen before in the
cybersecurity space.
So, we will continue to work diligently with our colleagues
in the private sector to do the best that we can to raise the
effort that's needed by adversaries to try to break into these
systems.
Senator Sullivan. OK.
Let's just--I don't want a repeat--thank you--I don't want
a repeat of everybody's opening statements, but----
Mr. Eggers. Sure.
Senator Sullivan.--keep it short, concise, succinct. But,
Mr. Eggers, next to you.
Mr. Eggers. Senator, I----
Senator Sullivan. Consumer confidence.
Mr. Eggers. Thank you.
Senator Sullivan. How do we build it?
Mr. Eggers. I think the effort we're doing here, we're in
relatively early stages, meaning that we're going to come out
on the other side of this effort with a product that will
achieve your interests in security, Mr. Chairman, Mr. Ranking
Member. I think that the capabilities that are in the
documents, if you will, the standards, the efforts that we are
looking to hold ourselves to in building will be what you're
looking for. We want to take that work, that consensus work,
and push it globally.
On the labeling front, I think it's a very good issue to
tackle. One of the things why I think it's valuable to be here
is because we do value your concerns, what--how you see a
label, and what it means to you. It's not anything we shy away
from. One of the things that we try to do at the Chamber is
work through issues, consider pros and cons, and come out on
the other side with a position that works for a number of
stakeholders. You're not wrong to want something that----
Senator Sullivan. You need to be succinct, here, so----
Mr. Eggers. Yes.
Senator Sullivan.--wrap it up.
Mr. Eggers.--that communicates effectiveness. However, I do
believe that, if there is a government-directed or quasi-
directed label, it won't keep up with this baseline effort that
we are trying to achieve, purely and simply.
Senator Sullivan. Mr. Mayer.
Mr. Mayer. So, I think we have to be careful that we don't
create a false sense of confidence by putting a label out there
that may not be able to maintain its currency. I'll give you an
example. Senator Markey mentioned the car. Those cars today are
software, they're computers, they're sensors talking to each
other, they're moving back and forth among each other within
the car, to other cars, and back to the factories. What is a
level one this afternoon, by this evening might be a level
three, because there's been a change in some configuration. So,
as we move toward AI, big data, 5G, in terms of connectivity--
and we're moving there quickly--we're going to have to
understand that it---there's going to be a requirement for a
different level of effort to protect and secure these devices.
And that's going to be constantly evolving, because the
adversaries are going to come at this level, the defenders are
going to go here, the adversaries are going to go here,
defenders are going--here. We're in this constant wrestling
match. That's the environment we're in. And we have to put as
much control in the hands of the experts, the technicians, the
statisticians, the mathematicians, the people who can actually
build the algorithms that will keep us safe and keep these
environments safe. That's the environment we're moving toward.
It's going to be very complicated.
Senator Sullivan. Mr. Bergman.
Mr. Bergman. Thank you for the opportunity, Senator.
Senator Sullivan. Consumer confidence. How do we build it?
Mr. Bergman. CTA is a big fan of consumer education. We've
invested in a consumer awareness campaign. We have now--since
2017, our public service announcements have gone out 25,000
times over national cable networks, local and TV/radio
stations. At the same time, we find that everyone has their
part to play, and our focus is on making the devices as secure
as possible.
One of the reasons that this is so important is that our
major members on the retail side are demanding action from us
and from the manufacturers. I can give you a specific example.
Best Buy, major brick-and-mortar and online retailer, is not
only coming to us and saying, ``We need a clear way to
communicate what the cybersecurity requirement is to the
manufacturer of the IoT device before it goes in our store, and
we need that to be accepted by industry, we need it to be
acceptable to the government, we need it to be something that
we can work with on a global level.'' Not only is Best Buy
working with us, in terms of giving us this input, they're
literally chairing one of our committees to solve these
problems. These--this is one of the market incentives that's
arising.
Another factor is the recognition that consumers are
uncomfortable about buying IoT devices, for the issues that
we're talking about today. And that is an incentive to everyone
in the ecosystem to solve the problem.
Senator Sullivan. Mr. Geiger, last word.
Mr. Bergman. Thank you.
Mr. Geiger. Thank you. I think that the most important
thing that you can do for consumer trust is to pass data
security legislation that requires reasonable security for
personal information. A lot of the harms that are driving the
privacy debate are not due to a failure of notice, choice,
access, transparency, or use restrictions. They're failures of
security. They're failures because of unauthorized access or
accidental data breach. The Marriott and Equifax breaches are
excellent examples of failures of security, not other privacy
principles. Voluntary guidance, we think, alone, will not work.
And we hear from some of the companies here today--or
associations here--talking about the baseline for IoT security.
We think that that's great, and it's very fruitful work, and it
should be a factor into what is considered reasonable for
security of personal information. The point is that there has
to be some sort of enforcement mechanism behind it to prompt
adoption.
Thank you.
Senator Sullivan. Well, I want to thank all the witnesses.
I want to thank Senator Markey. A very, very informative
hearing. We have a lot of work to do, all of you, all of us,
but I think this is an important step forward.
The hearing record will remain open for two weeks. During
this time, Senators may submit questions for the record. Upon
receipt, the witnesses are, respectfully, requested to submit
their written answers to the Committee as soon as possible.
Again, thank you to all of our witnesses today. Excellent
hearing.
This hearing is now adjourned.
[Whereupon, at 4:30 p.m., the hearing was adjourned.]
A P P E N D I X
Response to Written Questions Submitted by Hon. Roger Wicker to
Charles H. Romine, Ph.D.
Question 1. To what extent will NIST's final IoT cyber baseline
account for the varying levels of risk that different types of
connected devices pose, and if so how? Does the baseline incorporate a
one-size fits all approach or one that is more risk-based?
Answer. The Core Cybersecurity Capabilities Baseline is intended to
identify a common set of capabilities for IoT device cybersecurity, in
other words a ``floor.'' It is expected that a) profiles will be
developed that adapt this baseline to their market sector and provides
flexibility to add additional required capabilities (informed by market
specific use cases and risks); and b) industry-led consensus standards
may evolve to further elaborate on the implementation of the
cybersecurity capability as appropriate for that market. This path
provides for an adaptable approach informed by risk and taking into
account the broad range of device capabilities and use cases
encompassed in the Internet of Things.
Question 2. How serious is the U.S dependence on foreign
information and communications technology? Who are we dependent on and
how do we reduce this dependence to ensure the security of the U.S.
supply chain?
Answer. NIST cannot comment on ``identifying the U.S dependence on
foreign information and communications technology and who are we
dependent on'' as these are out of NIST's scope of work.
Securing the information and communications technology and services
supply chain is a top priority for the Administration. As directed by
the Executive Order on the topic, the Office of the Director of
National Intelligence is responsible for assessing ``threats to the
United States and its people from information and communications
technology or services designed, developed, manufactured, or supplied
by persons owned by, controlled by, or subject to the jurisdiction or
direction of a foreign adversary'' and the Department of Homeland
Security for assessing and identifying ``entities, hardware, software,
and services that present vulnerabilities in the United States and that
pose the greatest potential consequences to the national security of
the United States.'' Pursuant to the EO, Commerce, in consultation with
other departments and agencies will determine if an information and
communications technology or services transaction
(A) poses an undue risk of sabotage to or subversion of the design,
integrity, manufacturing, production, distribution,
installation, operation, or maintenance of information and
communications technology or services in the United States;c
(B) poses an undue risk of catastrophic effects on the security or
resiliency of United States critical infrastructure or the
digital economy of the United States; or
(C) otherwise poses an unacceptable risk to the national security of
the United States or the security and safety of United States
persons.
While NIST does not lead any of these assessments or
determinations, NIST stands ready to provide expertise if and when it
is requested. NIST continues to work on guidance, methods and tools for
organizations to conduct cyber supply chain risk assessments and to
clearly and effectively communicate security requirements and
capabilities to suppliers and customers.
______
Response to Written Questions Submitted by Hon. Jerry Moran to
Charles H. Romine, Ph.D.
As the U.S. Government's repository of standards-based
vulnerability management data, NIST's National Vulnerability Database
(NVD) plays a critical role in receiving, standardizing, and analyzing
cybersecurity vulnerabilities as they are discovered.
Question 1. You indicated in your testimony that IoT
vulnerabilities are accounted for in the database, but can you please
explain how common these types of vulnerabilities are as compared to
other information technology vulnerabilities? Have you seen any
patterns of increased reporting frequency related to IoT devices?
Answer. As of now, IT vulnerabilities make up the majority of items
accounted for in the National Vulnerability Database, but we do see an
increase in the reporting of vulnerabilities related to IoT. This is to
be expected with the continuing growth of IoT applications. NIST will
continue to work with industry, standards bodies, and the Common
Vulnerability and Exposures (CVE) Board to ensure that IoT vendors and
the vulnerability research community participate in this open and
common method for alerting and reporting about vulnerabilities.
Your testimony described NIST's Internal Report 8200 that was
published in November 2018. The report described five separate IoT
technology application areas including connected vehicles, consumer
products, health processes, smart buildings, and smart manufacturing
capabilities. As you are likely aware, there are comprehensive
applications of IoT in the agricultural economy, often referred to as
``precision agriculture.'' Precision agriculture equipment appears to
fall into a few of these listed categories from the report.
Question 2. How is NIST accounting for agricultural applications of
IoT in its considerations of promoting data security and privacy
standards?
Answer. NIST IR 8200 selected five example IoT technology
application areas to provide context for the analysis of available
cybersecurity standards for IoT but does not reduce the applicability
of the report across applications. Much existing cybersecurity and
privacy work at NIST are applicable for agricultural applications of
IoT, such as the Cybersecurity Framework and the Privacy Framework
initiatives. NIST IR 8228 highlights areas of consideration for privacy
and cybersecurity of IoT that are broadly applicable. The ongoing NIST
work to identify a core set of cybersecurity capabilities for IoT
devices is intended to identify a ``floor'' across most IoT devices,
regardless of industry vertical.
______
Response to Written Questions Submitted by Hon. Todd Young to
Charles H. Romine, Ph.D.
Question 1. Can you speak to what the Federal Government is
currently doing to prepare for future Internet of Things (IoT) cyber
threats the country may face?
Answer. NIST cannot speak for other Federal Government agencies.
NIST's Cybersecurity for the Internet of Things program supports
the development and application of standards, guidelines, and related
tools to improve the cybersecurity of connected devices and the
environments in which they are deployed. By collaborating with
stakeholders across government, industry, international bodies, and
academia, the program aims to cultivate trust and foster an environment
that enables innovation on a global scale.
Question 2. What more can and should NIST, the Department of
Commerce, and others in the Executive Branch be doing to prepare?
Answer. Some of the considerations NIST is addressing in IoT
include the following:
Mitigate risks through education and awareness. As an
organization becomes aware of its current and potential IoT
usage, it needs to understand IoT device risk considerations
and the challenges such as present. An organization using IoT
devices may need to adjust organizational policies and
processes to address the cybersecurity and privacy risk
mitigation challenges throughout the IoT device lifecycle and
implement updated mitigation practices for the organization's
IoT devices.
Maintain U.S. leadership in IoT-related standards
development. It is vital to build a pipeline of contributions
for the development of standards. Research can lead to new
ideas and discoveries that form the basis for new standards
that benefits consumers.
Develop a workforce prepared to address IoT challenges.
Workforce development is an essential element of preparedness.
The National Initiative for Cybersecurity Education (NICE)
Cybersecurity Workforce Framework provides a roadmap for
cybersecurity workforce management, as well as for the delivery
of education and training content across the Nation.
Question 3. What statutory authority do NIST and other government
stakeholders require to take appropriate action?
Answer. NIST is carrying out its IoT-related programs under its
existing statutory authorities.
Question 4. What is the single greatest IoT threat to the average
consumer?
Answer. Addressing security throughout of the life-cycle of IoT
products and services, and securing the web and cloud interfaces, will
be keys to improving security of IoT for consumers of these products
and services, whether they are individuals, businesses or governments.
The IoT world of the future will require secure connectivity and user
confidence in security. It will be challenging for manufacturers and
developers of consumer-grade, low-cost IoT devices to view the cost of
life-cycle device security as a necessity.
______
Response to Written Questions Submitted by Hon. Amy Klobuchar to
Charles H. Romine, Ph.D.
My bill with Senator Thune, the Cyber Security Exchange Act, would
establish a public-private exchange program to recruit cybersecurity
experts in the private sector and academia to do tours of duty in the
Federal Government for up to two years, while also creating a program
for government cybersecurity experts to do rotations in the private
sector.
Question 1. In your view, is our current cybersecurity workforce
adequately trained and distributed among Federal agencies to properly
secure Internet of Things (IoT) devices from cyberattacks?
Answer. NIST shares your concern about the Federal Government's
preparedness for securing our information systems, including IoT
devices, from cyber-attacks. To address these concerns, NIST plays a
lead role in implementing the Executive Order on America's Cyber
Workforce and convenes the National Initiative for Cybersecurity
Education (NICE) Interagency Coordination Council, among other
activities. NIST does not play a role in measuring the adequacy of
training at other Federal departments and agencies, or in evaluating
workforce distribution among agencies for securing IoT devices.
Question 2. How would such a public-private exchange program help
the ongoing effort to secure vulnerabilities in IoT devices?
Answer. The Administration does not have a position on the Cyber
Security Exchange Act. However, the Executive Order on America's Cyber
Workforce notes ``The United States Government must enhance the
workforce mobility of America's cybersecurity practitioners to improve
America's national cybersecurity. During their careers, America's
cybersecurity practitioners will serve in various roles for multiple
and diverse entities. United States Government policy must facilitate
the seamless movement of cybersecurity practitioners between the public
and private sectors, maximizing the contributions made by their diverse
skills, experiences, and talents to our Nation.'' As a general matter,
exchange programs have the potential to provide employees the
opportunity to develop and improve skills in diverse settings and to
apply those new and improved skills in this rapidly changing area to
better mitigate all types of cybersecurity vulnerabilities. In 2018,
the Administration submitted a legislative proposal to amend subpart B
of part III of title 5, United States Code by adding a new chapter
titled ``Assignments To and From External Organizations,'' which would
authorize agencies to establish an Industry Exchange Program, for
science, technology, engineering, or mathematics. These fields, which
include cybersecurity, could benefit from an exchange of idea and
talent between the Federal Government and private sector.
______
Response to Written Questions Submitted by Hon. Roger Wicker to
Matthew Eggers
Question 1. Mr. Eggers, in your testimony, you noted that market
and/or policy incentives may be needed to jump-start development of IoT
cybersecurity components and business practices. What are some of the
incentives that could drive businesses to build better cybersecurity
into the design of their Internet-connected products?
Answer. The Chamber is assessing the establishment of a Buy Strong
IoT Coalition to promote the production, purchase, and deployment of
more secure IoT products. We want device makers, service providers, and
buyers to gain from the business community leading the development of
state-of-the-art IoT components and sound risk management practices.
But which comes first--strong devices or strong market demand?
Stakeholders are trying to think through and solve a chicken-and-egg
strategy problem.
If created, the Coalition would explore facilitating a process in
the marketplace that generates both security and value for buyers and
sellers. Indeed, market and/or policy incentives may be needed to
initiate progress, but the specifics are yet to be determined.
Meanwhile, the Chamber recognizes that increasing IoT cybersecurity
is a challenge that no single group or business association can tackle
alone. Any solution(s) that the Coalition develops needs to be
ambitious yet manageable. Proposed solutions also need to be tested to
avoid mistakes, as well as communicated to the public. It is difficult
for a coalition that comes up with a solution(s) to also have the
influence and resources to implement it alone. This means that the
Coalition is going to have to persuade other people, including members
of Congress and administration officials, to buy in to its goals and
want to help industry succeed.
Question 2. How serious is the U.S dependence on foreign
information and communications technology? Who are we dependent on and
how do we reduce this dependence to ensure the security of the U.S.
supply chain?
Answer. Supply chains are the arteries of American commerce. They
affect companies large and small, are essential to U.S.
competitiveness, and help determine our quality of life. Information
and communications technology (ICT), or cyber, supply chains are a
driving factor in the most critical debates of the day.
Our ICT supply chains are deeply interwoven with a number of
foreign trading partners. The Chamber believes that ICT security policy
must be geared toward facilitating trade and managing risk. The cyber
supply chain is a globally distributed, interconnected set of
organizations, people, processes, services, and other elements.
American companies are committed to ensuring that their ICT products
and services reflect the latest cybersecurity protection, while
maintaining their organizations' place in a highly competitive
marketplace.
The Chamber is calling for a swift, private sector-led rollout of a
secure 5G network as part of our push to bolster U.S. infrastructure
and economic prosperity. Developing and deploying cellular networks
that cover an entire country and reliably serve millions of subscribers
present an array of challenges and opportunities. Complexity and high
equipment costs, for instance, have favored some large foreign vendors
that offer relatively inexpensive solutions, including bundling
technology, services, and financing in a single offering. This
arrangement has created some dependence on a handful of overseas
providers.
The Chamber is assessing the pros and cons of new approaches, such
as virtualized networking technology (aka network function
virtualization), which can feasibly offer pathways to reduce such
dependency by leveraging a broader array of off-the-shelf ICT
solutions. Meanwhile, ambitious public-and private-sector efforts are
underway to manage cyber supply chain risk and threats. The Chamber is
engaging the administration on the White House's May 2019 executive
order on securing the ICT supply chain, as well as related initiatives.
Our Cybersecurity Working Group is reviewing a number of bills that
are germane to your question, including S. 893, the Secure 5G and
Beyond Act of 2019; S. 1457, the Sharing Urgent, Potentially
Problematic Locations that Yield Communications Hazards in American
Internet Networks (SUPPLY CHAIN) Act of 2019; and S. 1625, the United
States 5G Leadership Act of 2019. The latter bill, which you sponsored,
calls for a new Supply Chain Security Trust Fund grant program.
While the Chamber has not yet taken a position on S. 1625, this
program could help communications providers, particularly those in
rural areas, remove from their networks certain equipment determined to
possibly threaten U.S. national security. Your bill offers a novel
approach to strengthening cyber supply chains. The Chamber welcomes
discussing it with you and your staff members,
______
Response to Written Question Submitted by Hon. Roger Wicker to
Robert Mayer
Question. How serious is the U.S dependence on foreign information
and communications technology? Who are we dependent on and how do we
reduce this dependence to ensure the security of the U.S. supply chain?
Answer. Thank you for the opportunity to respond to the question
from Senator Roger Wicker.
The U.S., like other nations, has a high degree of dependency on
foreign information and communications technology. It is the very
nature of today's hyper-interconnected world that creates these mutual
dependencies that for the most part have served to fuel unprecedented
levels of innovation and economic growth. Trust is the single most
essential factor necessary to ensure the integrity and sustainability
of this economic and social engine.
When we look broadly at this ecosystem from the perspective of
information and communications technology and services, we see a highly
competitive and global market where the U.S procures products from, and
provides product to, a large number of organizations throughout the
world. When we narrow the aperture to the procurement of
telecommunications equipment, especially with respect to products and
services that are needed for wide-scale 5G deployment, our dependency
on foreign-sourced equipment and services becomes more acute.
As I indicated in my testimony, there are three main alternative
suppliers to Huawei which include Nokia, headquartered in Finland,
Ericsson in Sweden, and Samsung in South Korea. USTelecom members are
working closely, productively, and cooperatively with these and other
global partners to ensure accountability around security and privacy
and to embrace those business practices that have been proven to build
increasing trust over time.
______
Response to Written Question Submitted by Hon. Todd Young to
Robert Mayer
Question. Mr. Mayer, in your testimony you discuss the strategic
partnership between global industry leaders and the important mission
of the Council to Secure the Digital Economy, which ``is to identify
sophisticated and evolving cyber threats and the security practices.''
Given that there is consistent evidence of IoT security
vulnerabilities, how concerning is it to see U.S. allies allowing the
same technology companies--that the U.S. has deemed to be a national
security threat--to operate within their borders?
Answer. USTelecom formed the Council to Secure the Digital Economy
in 2018 in response to the growing recognition that cybersecurity is a
global problem that requires global solutions; the convergence of
information, communications and technology necessitates strong cross-
sector collaboration.
Since we formed this industry-led initiative with 13 of the largest
global ICT companies, we have worked in close partnership with multiple
Federal agencies including the Department of Homeland Security (DHS),
the National Telecommunications and Information Administration (NTIA),
and the National Institute of Standards and Technology (NIST). We are
now expanding our engagement with international governments as we
pursue further work in the area of botnets, IoT baseline security, and
cyber crisis coordination.
There is no question that IoT security is one of the most
significant cybersecurity challenges we face today and it requires
vigilant leadership from both industry and governments throughout the
world. When companies are found to present undue risk to a nation's
national and economic security, and when those risks have the potential
of harming the global digital ecosystem, it is imperative that
governments work to mitigate those risks.
The U.S. Government is taking strong measures to assess and address
what the national security community has defined as an ``unusual and
extraordinary'' threat. While the IoT threat will not be eliminated as
a result of any prohibition on a single country or company, it is our
hope that discussions with our allies produce a common understanding of
the threat and that appropriate risk mitigation measures are taken to
effectively address the threat.
______
Response to Written Question Submitted by Hon. Amy Klobuchar to
Robert Mayer
Question. In order to identify gaps in the availability of
broadband service on farmland and ranchland, Chairman Wicker and I
introduced the Precision Agriculture Connectivity Act, which was signed
into law as part of the 2018 Farm Bill. While reliable broadband is the
foundation to help farmers streamline their operations, improve crop
yields, and boost their bottom line, IoT smart agriculture also plays a
critical role in improving farming. Can you discuss how the security of
IoT smart devices is critical for many industries, especially in rural
areas?
Answer. Thank you for the opportunity to respond to the question
from Senator Amy Klobuchar.
USTelecom is committed to securing IoT devices across all
industries, including agriculture, and in partnership with the Consumer
Technology Association we convened 13 global companies and a group of
20 organizations to develop the leading industry consensus on IoT
security worldwide (known as the C2 Consensus).\1\
---------------------------------------------------------------------------
\1\ Council to Secure the Digital Economy, The C2 Consensus on IoT
Device Security Baseline Capabilities (2019), https://
securingdigitaleconomy.org/wp-content/uploads/2019/09/CSDE_
IoT-C2-Consensus-Report_FINAL.pdf.
---------------------------------------------------------------------------
Our project leveraged hundreds of subject matter experts across the
communications and IT sectors based on the principle that the best way
to achieve security is to advance security specifications developed by
the world's leading experts.
The core set of baseline capabilities we developed are broadly
applicable--vertically and horizontally--across markets. They apply to
the diverse range of new IoT devices, accommodating the broad spectrum
of device complexity, regardless of the deployment environment.
The agricultural industry is no exception. IoT devices used for
smart agriculture are neither immune to being compromised and used in a
pervasive botnet attack nor are they invulnerable to being targets of a
cyber-attack. An attack that disrupts or manipulates IoT agriculture
devices could cause losses to the Nation's farmers and the agricultural
industry more broadly. As more IoT smart agriculture devices come to
market and are increasingly used in precision farming, we would
encourage the U.S. agricultural industry to make use of the security
advances that USTelecom and its partners are actively promoting, along
with practices based on industry-specific risk profiles. By raising the
market's expectations for security, our recommendations will help to
lift all new IoT devices' cybersecurity, including devices used in
agriculture.
______
Response to Written Questions Submitted by Hon. Roger Wicker to
Michael Bergman
Question 1. Who is best suited to promote and drive increased IoT
cybersecurity-the businesses that manufacture, supply and sell
connected devices or the consumers that buy them?
Answer. The Consumer Technology Association (CTA) represents more
than 2,200 member companies, 80 percent of which are small businesses
and startups. Given its role in the industry, CTA is working to secure
devices by coordinating with the businesses that manufacture, supply
and sell them. CTA is uniquely positioned to play this important role
because of its expertise, experience and broad membership across the
entire consumer technology industry. CTA also has a long history as a
technical standards body, dating back to the 1920s. CTA's Technology
and Standards program is accredited by the American National Standards
Institute and includes more than 70 committees and over 1,000
participants.
With respect to device security, CTA has taken several steps to
help coordinate the security efforts of its members. In May 2018, CTA
announced that it was working with the Council to Secure the Digital
Economy (CSDE) to develop the International Anti-Botnet Guide. The
Guide is a playbook that offers companies across the digital ecosystem
a set of baseline tools, practices and processes they can adopt to help
protect against the threat of botnets and other automated distributed
attacks in addition to advance security. In March 2019, through the
CSDE, CTA convened 18 major cybersecurity and technology organizations,
industry associations and standards bodies to identify baseline
security capabilities for the rapidly growing IoT marketplace
(``Convene the Conveners'' or C2). This unprecedented industry effort
seeks to identify baseline security capabilities for the rapidly
growing IoT marketplace.
CTA is undertaking this work with its members on IoT security to
protect consumers. For example, CTA is developing industry consensus
for IoT security capabilities that will help consumers directly in
addition to companies in the retail sector who are increasingly focused
on ensuring the products they sell adequately protect their customers.
Retailers want their consumers to feel comfortable and safe when buying
products, and CTA shares this desire. CTA has also invested in
educating consumers and businesses about security and will continue
moving forward. As an example, CTA, in partnership with the Department
of Justice's Cybersecurity Unit, released consumer guidance on securing
IoT devices in July 2017.\1\ In addition, CTA has developed and
released the Connected Home Security System to guide connected home
dealers and professionals through the most secure and best practices
available for installing and configuring products, devices and systems.
---------------------------------------------------------------------------
\1\ U.S. Department of Justice Cybersecurity Unit and Consumer
Technology Association, Securing Your ``Internet of Things'' Devices
(July 2017), available at https://www.justice.gov/criminal-ccips/page/
file/984001/download.
---------------------------------------------------------------------------
Consumers are already faced with a significant number of features
when choosing a device, and indications are that they expect the
manufacturer and retailer to ensure that the device is secure at the
time of purchase. Educating consumers on security--that they should
consider it and what to look for--is a significant task. CTA and its
member companies are focused on making devices secure.
Question 2. What are the challenges associated with an IoT device
cybersecurity certification and labeling scheme?
Answer. At CTA, we are focused on ensuring the devices themselves
are secure; that is our priority. A critical first step is achieving
industry consensus for IoT security baselines. That is why CTA has
initiated, through the Council to Secure the Digital Economy (CSDE), a
convening of 18 major cybersecurity and technology organizations,
industry associations and standards bodies to identify baseline
security capabilities for the rapidly growing IoT marketplace
(``Convene the Conveners'' or C2) effort. It is also why CTA is working
closely with the National Institute of Standards and Technology (NIST)
in the agency's efforts to create a core IoT Cybersecurity Capabilities
Baseline.
CTA has been supportive of other labeling efforts, like the Energy
Star labeling program. However, it is important to recognize that
evaluating cybersecurity risk is different from labeling a product for
energy consumption. A labeling or certification regime is only as
strong as the requirements upon which the regime is built. But
prescriptive requirements, whether they come in the form of a
regulation or in the form of labeling, suffer from the same weaknesses
with respect to cybersecurity. Manufacturers are best equipped to
develop secure devices when they can decrease risk through flexible
approaches and best practices that are outcome driven.
It must also be noted that consumers are faced with many labels,
icons and marks when purchasing a new product. Another label or mark
will be one of many, so the consumer must be taught to look for this
element. This consumer education is a significant undertaking and is
not addressed by labeling proposals at this time.
Question 3. How serious is the U.S dependence on foreign
information and communications technology? Who are we dependent on and
how do we reduce this dependence to ensure the security of the U.S.
supply chain?
Answer. The U.S. government has taken actions in recent weeks
regarding certain aspects of the global supply chain for information
and communication technology (ICT). CTA will continue its efforts to
promote trust and security throughout the ICT environment.
This work must take place globally, with U.S. government and
industry leadership. Largely due to U.S.-led innovations, the present
ICT environment draws on--and will continue to draw on--a robust and
dynamic global supply chain. CTA is focused on ensuring information and
communications technology is secure, no matter where it is
manufactured. In CTA's view, the important question is whether a
manufacturer of a device or technology can be relied upon to produce it
securely.
CTA's priority on securing information technology is reflected in
the leadership role it has played, for example, through the Council to
Secure the Digital Economy (CSDE) a convening of 18 major cybersecurity
and technology organizations, industry associations and standards
bodies to identify baseline security capabilities for the rapidly
growing IoT marketplace (``Convene the Conveners'' or C2).
Question 4. Given the hearing discussion about potential mandates
for IoT devices, can you share CTA's past experience regarding
proposals with technological mandates and their effect on innovation?
Answer. Technological innovation moves much faster than Congress
and regulation, which means that technology mandates fail to keep pace
with innovation. In the cybersecurity context, the absence of
technology mandates has allowed public-private partnerships to develop
and innovative security solutions to flourish. We believe dynamic
solutions driven by powerful market forces are the best answer to
global, systemic challenges to IoT security. IoT security solutions
must include ecosystem-wide consensus, voluntary standards and best
practices and standards that scale. NIST's recent efforts on IoT
security best represent the productive, important role government
should play in cybersecurity. CTA will continue to engage in NIST's
process via the C2 effort, a convening of 18 major cybersecurity and
technology organizations, industry associations and standards bodies to
identify baseline security capabilities for the rapidly growing IoT
marketplace.
In contrast, technological mandates can cause negative consequences
for consumers. For example, on August 31, 2017, the Federal
Communications Commission (FCC) finally sunset its requirement for
televisions and other devices to have analog tuners, eight years after
full-power broadcast stations ceased transmitting analog signals. This
mandate forced manufacturers to build bulkier, more expensive devices
rather than innovating to meet consumer demand. For the manufacturers
that wanted to market smaller, cheaper and more modern devices, they
had to petition the FCC for permission, in turn tying up both industry
and government resources without a benefit to consumers.
Meanwhile, government mandates can also backfire in other ways. In
1996, Congress mandated that all TV sets include the so-called ``V-
Chip,'' a feature that CTA developed as an option to allow parents to
block children's viewing of selected programs. Prior to the mandate,
television manufacturers said they would promote the V-Chip feature as
a factor differentiating their sets from competitive models. However,
once the V-Chip was required in virtually every TV set, manufacturers
had no competitive reason to advertise or showcase the feature. Because
of the mandate, the V-Chip was a marketplace failure and has been
widely ignored by consumers. A 2001 study showed that only 9 percent of
families used the feature regularly, and that number has doubtlessly
fallen even lower since then.\2\
---------------------------------------------------------------------------
\2\ Gabrielli, J., Traore, A., Stoolmiller, M., Bergamini, E., &
Sargent, J. D. (2016). Industry Television Ratings for Violence, Sex,
and Substance Use (3rd issue., Vol. 183, Rep.). See: https://
pediatrics.aappublications.org/content/138/3/e20160487
---------------------------------------------------------------------------
______
Response to Written Questons Submitted by Hon. Jerry Moran to
Michael Bergman
Question 1. The Modernizing Government Technology (MGT) Act was
enacted in 2017 in an effort to replace unsupported, legacy IT systems
that plagued Federal agencies and posed significant cybersecurity risks
to the Nation's critical infrastructure.
While IoT devices are relatively new developments compared to most
legacy IT systems used by Federal agencies, how should ``patching''
updates be used to protect against preventable cyber vulnerabilities in
IoT devices?
Answer. The Chamber applauds Sen. Moran's leadership on developing
and passing the MGT Act. Many parts of the Federal Government's
information technology (IT) infrastructure are woefully outdated.
Obsolete technology systems are inefficient and especially susceptible
to cyberattacks, which, among other challenges, puts the personal
information of citizens at risk. The bipartisan MGT Act will help the
Federal Government improve its information systems.
The Chamber urges businesses to keep all software current,
including enterprise information systems, web browsers, and IoT
devices. Software flaws are nearly unavoidable in devices, making the
ability to patch software and firmware necessary. The Chamber supports
the inclusion of an update mechanism in the draft IoT cyber baseline.
NIST's proposed suite of cyber capabilities calls for the software and
firmware in IoT devices' to be updated using a secure, controlled, and
configurable process.
Question 2. Your testimony described Project Security's engagement
with over 30 foreign governments to create and implement their
respective cybersecurity programs in an effort to promote international
alignment of ``flexible, globally accepted risk-based approaches to
cybersecurity.''
Would you please describe the most significant barriers to
successfully aligning our Nation's cybersecurity standard frameworks
with those of other governments?
Answer. Persuading foreign officials to adopt the industry-led IoT
cyber baseline is a key hurdle to aligning U.S. approaches to
cybersecurity with those of other governments. The Chamber believes
that IoT cyber efforts are most effective if they reflect international
standards and industry-driven practices. Standards, guidance, and best
practices relevant to cybersecurity are typically led by the private
sector and adopted on a voluntary basis; they are optimal when
developed and recognized globally. Such approaches avoid burdening
multinational enterprises with the overlapping, and often conflicting,
requirements of multiple jurisdictions.
The Chamber appreciates that NIST has been actively meeting with
foreign governments urging them to embrace a core IoT security
capabilities baseline. The Chamber urges the administration to work
with international partners and believes that these discussions should
be stakeholder driven (e.g., industry actively participates) and occur
routinely. A fragmented global cybersecurity environment creates much
uncertainty for device makers and buyers and splinters the resources
that businesses devote to sound device development, production, and
assessments. Congress should support NIST's efforts on IoT cyber
outreach with additional funding.
______
Response to Written Questions Submitted by Hon. Todd Young to
Michael Bergman
Question 1. What is the most effective approach policymakers can
take to incentivize businesses to adopt necessary cybersecurity
protections from IoT?
Answer. The U.S. Chamber of Commerce appreciates that Congress is
contemplating incentives that induce the practical, voluntary use of
the core cybersecurity capabilities baseline for Internet of Things
(IoT) devices. The IoT cyber baseline is being developed by industry
and the National Institute of Standards and Technology (NIST) and is
expected to be completed in 2019.
The Chamber believes that policies intended to encourage businesses
to adopt sound cybersecurity practices, including those related to
internet-connected devices, must feature flexibility and support robust
public-private engagement. The most important incentive that Congress
and the administration could extend to companies is the assurance that
the IoT cyber baseline will remain collaborative, adaptable, and
innovative over the long term. The presence of these qualities, or the
lack thereof, will be a key determinant of participation by industry in
an IoT cyber baseline. Closely related, businesses want government
partners in the fight against organized criminals and nation states or
their proxies that threaten IoT devices.
Any IoT cybersecurity regime that industry concludes favors
compliance and bureaucracy over creativity, speed, and dynamism will
almost certainly create a powerful disincentive to participation by the
private sector. Incenting businesses to use a rigid and prescriptive
IoT cyber baseline will distort the marketplace by driving private-
sector investment toward compliance with lowest common-denominator
solutions, thus making the U.S. less secure.
Question 2. What is the most effective approach policymakers can
take to incentivize consumers to adopt necessary cybersecurity
protections from IoT?
Answer. The Chamber is working to better understand buyer behavior.
A number of IoT cyber advocates take a ``build it and they will come''
approach to IoT cyber, which is consistent with traditional, rational
notions of economics. But it is unclear if consumers--including
individuals, households, businesses, and public institutions--will (1)
pay for the cost of additional security features or (2) be able to
identify a strong device without a nonregulatory tool to help them make
educated choices.
The Chamber is seeking to discern how people make purchasing
decisions regarding IoT technology and supports the introduction of
more secure devices into the networks of businesses and the hands of
consumers. Accordingly, the Chamber is exploring the creation of a Buy
Strong IoT Coalition. The group would advance sensible public policies
in this space and promote the production and deployment of secure IoT
products both domestically and internationally. The Coalition would
convene discussions with multiple stakeholders to frame key problems
and sell a solution(s) to a broader audience, consumers included.
The 2018 Botnet Road Map calls for establishing robust markets for
consumer and industrial devices. The Chamber believes that the IoT
ecosystem would benefit from the leadership of the business community
in the development of cutting-edge devices and risk management
activities. The Coalition would facilitate a market-based process that
generates both security and value for buyers and sellers. A key goal of
the Coalition is to make the purchase of strong connected devices
increasingly understandable, easy to do, and widespread.
Question 3. How important is Federal preemption of state laws?
Answer. A national approach to bolstering IoT cybersecurity is
critical to reducing the expanding policy and regulatory fragmentation
that is taking place domestically and overseas. There is a clear market
demand for a common IoT cyber baseline to guide a path for businesses
and standards bodies to follow. A fragmented cybersecurity environment
creates uncertainty for device makers and buyers and splinters the
resources that businesses devote to sound device development,
production, and assessments.
The Chamber urges the Senate Commerce Committee to consider
legislation that would spur device makers to build to the cyber
baseline, while granting legal liability and regulatory protections to
the makers and sellers of strong IoT equipment.
______
Response to Written Question Submitted by Hon. Roger Wicker to
Harley Geiger
Question. How serious is the U.S dependence on foreign information
and communications technology? Who are we dependent on and how do we
reduce this dependence to ensure the security of the U.S. supply chain?
Answer. IoT technologies are manufactured, operated, and consumed
around the world. Just as U.S. technologies and services are consumed
abroad, technology manufactured in other regions is certainly consumed
in the US. Rapid7 has no data on which regions supply the most
technology to the US, though we believe it is always advisable to
investigate and evaluate risk. In regards to IoT, we encourage the U.S.
to seize the opportunity to bring clarity to the IoT supply chain,
evaluate the vulnerabilities and exposures most common to these devices
and their ecosystems, and implement updated management programs to work
both post-market and across the manufacturing process.
One thing we have experienced first-hand is the added complexity of
coordinating vulnerability disclosures with manufacturers in multiple
regions and timezones. Rapid7 supports a collaborative model of
vulnerability disclosure for IoT devices based on transparent
guidelines. It would be valuable to establish a system or authority
that can help those who discover vulnerabilities in IoT devices or
components to identify affected manufacturers and service providers,
assist with the disclosure, track the remediation of vulnerabilities,
and coordinate with relevant third parties both domestically and
internationally.
______
Response to Written Questions Submitted by Hon. Jerry Moran to
Harley Geiger
Question 1. The Department of Commerce report titled ``Fostering
the Advancement of the Internet of Things'' that was published in 2017
highlighted concerns related to connected device manufacturers'
capabilities to effectively update and upgrade their devices to
mitigate security flaws. Rapid7 provided comments to the Department of
Commerce in the development of the report that flagged that
``manufacturers entering the IoT space do not traditionally offer
frequent or fast-paced support or updates on their products, and are
only beginning to look into quick response practices for vulnerability
patching.''
Do you have any recommendations for this committee to effectively
promote or incentivize proactive ``patching'' solutions among connected
device manufacturers?
Answer. When it comes to patching, the general distinction between
IoT manufacturers and operators matters, though these roles can
sometimes be interwoven. Manufacturers assemble the physical devices or
``things'' that end-users interact with. The operator provides services
that incorporate the device, as well as backend systems in the cloud
(where the data relating to the device and its usage is normally
stored), and often some kind of web or mobile interface (through which
the device is accessed). Confusingly, the ``manufacturer'' may also be
the ``operator,'' depending on whether they are only providing the
physical endpoint or also running the web-based components.
This distinction matters because the incentives to patch can be
different for manufacturers and operators. The incentives for
manufacturers of the physical technologies to provide patching
capability, and to actually issue patches, most often come from their
customers (such as operators) demanding them, or regulators mandating
them (commonly in relation to safety concerns). The incentives for
operators to patch backend systems often come from risk management
concerns around liability, reputation, and harm (for example, risk of
data breach). It is also important to recognize that manufacturers and
operators may have limited control over each other's patching
processes, and are often reliant on the other to keep up with patching.
Below, we provide three recommendations for the Committee to
incentivize IoT patching that touches on both manufacturers and
operators: data security legislation, agency regulation of specific
sectors, and consumer transparency. These recommendations are intended
to work together, and we believe they are achievable in both the policy
and technical sense.
1) Require reasonable security for personal information.
``Reasonable security'' should include security updates, where
appropriate based on the risks.
Legislation that requires reasonable security protections for
personal information will apply to IoT devices collecting and
processing that information, and thus to operators running the
systems that handle that data. The security update capability,
and the actual deployment of updates to patch known
vulnerabilities, will be among the basic technical controls
regulators consider when evaluating whether an IoT operator
provides reasonable security for personal information. This
will strengthen the security of IoT devices and related
technologies (such as cloud storage of information collected
through IoT devices) in sectors that are otherwise not covered
by the jurisdiction of Federal agencies. This can also prompt
IoT operators to place greater pressure on device manufacturers
to include a patching capability and mitigate known
vulnerabilities as needed. There are many examples of a
reasonableness requirement for data security in Federal and
state statutes and regulations which the Committee may draw
upon. A requirement of reasonable security for personal
information should not be IoT-specific, but should encompass
IoT as well as other technologies. Security of personal
information is fundamental to privacy and should be included in
any privacy legislation. Even if a privacy bill fails to move
forward, it would still be worthwhile for the Committee to
consider legislation that would require reasonable security for
personal information.
2) Support coordinated but enforceable agency actions on IoT
security based on industry standards. These actions may include
security-by-design principles, such as security update
capability.
Rapid7 believes the combined effect of agencies' proactive
sector-specific requirements, existing FTC unfairness
authority, and data security legislation (as referenced above),
would promote broader adoption of basic IoT security practices,
including patching. To the extent possible, these efforts
should be coordinated around an IoT security baseline, driven
by consensus and grounded in standards, to avoid fragmented
requirements.
Federal agencies have domain expertise and existing authority to
require basic IoT security within their areas of jurisdiction--
such as NHTSA for vehicles, FDA for medical devices, CPSC for
product safety, FAA for drones, OMB for government procurement,
FTC for unfairness, etc. These requirements can include
security-by-design principles for IoT manufacturers, such as
incorporating a security update capability from the design
phase forward. Many agencies have begun the work of clearly
describing their expectations for IoT security, but many others
have not. The Committee should support agencies' efforts and
exercise its oversight role to ensure that agencies are acting
effectively to strengthen IoT security, or whether legislation
is necessary to prompt meaningful action.
Importantly, not only can agencies encourage adoption of secure-
by-design practices, agencies can also remove barriers to
adoption by clarifying or evolving product certification or
approval processes that might be impacted by issuing security
updates. For example, in its guidance on Postmarket Management
of Cybersecurity in Medical Devices, issued in 2016, the FDA
clarified that: ``For cybersecurity routine updates and
patches, the FDA will, typically, not need to conduct premarket
review to clear or approve the medical device software
changes.'' Prior to this publication, fear of having to go
through the product approval process again was often cited as a
reason for not issuing patches for medical devices.
Agency IoT security requirements should be harmonized, to the
extent possible, by following a consistent baseline supported
by industry standards. NIST is currently developing an IoT Core
Security Capability Baseline as part of its ``Botnet Roadmap,''
and Rapid7 has advocated for security update capability to be a
part of that baseline. The NIST IoT security baseline should be
a helpful reference for agencies establishing minimum security
expectations across IoT deployments. However, basic IoT
security precautions--such as security updates--are already
widely recognized in best practices documents, and we are
skeptical that completion of new voluntary guidance or best
practices is needed before agencies take action on basic IoT
security. Voluntary guidance should not replace formal
accountability and enforcement mechanisms when baseline
security is not met.
3) Facilitate voluntary transparency programs for consumer IoT
security. The transparency program should consider security
update capability as a key feature to communicate to consumers
prior to purchase.
Congress should support consumer awareness programs to enhance
the transparency of critical security features of consumer IoT
devices, such as certifications, seals, or labels. These
critical security features should include whether the device is
capable of receiving security updates, as well as the estimated
period the manufacturer intends to provide security update
support. The NTIA multistakeholder process for IoT security
update capability concluded this was key information to
communicate to consumers prior to purchase. The UK Dept. for
Digital, Culture, Media, and Sport is also undergoing a
regulatory consultation to explore requiring retailers selling
IoT devices to communicate this information to consumers. As
part of the ``Botnet Roadmap,'' the Departments of Commerce and
Homeland Security are exploring ways to communicate critical
security features to end users prior to purchase.
A manufacturer or operator indicating they will support a product
for a period of time is no guarantee that they will issue
patches for every major cybersecurity issue, or do so in a
timely manner. However, the incentive is more compelling if FTC
Section 5 authorities underpin adherence to claims of security
support.
IoT transparency programs also encourage consumers to think
critically about what they can and should expect from their IoT
vendors. Providing consumers with clear information about
critical security features, such as update capability, in IoT
devices will foster market competition based on security, build
consumer trust in the security of IoT products, and help
consumers fulfill their role in maintaining security.
Question 2. Your testimony highlighted a list of common
cybersecurity vulnerabilities and exposures prevalent to IoT devices,
including insufficient security of stored and transit data, weak
credentials, mobile application access, and insufficient update
practices among others.
Would you please further explain how ``lack of segmentation'' could
increase the vulnerability of IoT devices?
Answer. A vulnerability in one device component can provide an
access point for attackers, who can then use that access to compromise
other components--unless those components are separated to prevent this
movement. A hypothetical: Attackers exploit a vulnerability in a smart
car's infotainment system, and then use that access to compromise the
car's driving functions--the infotainment system and the driving
functions are distinct controls, but lack of segmentation between the
two enabled the attacker to compromise both. This principle can be
extended beyond components comprising a single device--lack of boundary
defenses can risk attackers compromising multiple devices or networks
by gaining access to one vulnerable device.
Segmentation and boundary defense are included in several best
practices documents and standards. For example, they are cited as
foundational controls in the Center for Internet Security's (CIS)
Critical Security Controls, and reiterated Internet of Things Security
Companion to the CIS Critical Security Controls. Segmentation is also
included in NIST's NISTIR 8228 ``Considerations for Managing Internet
of Things (IoT) Cybersecurity and Privacy Risks.''
Question 3. Based on the multiple components that oftentimes make
up the circuitry of the IoT device, does this make the ``supply chain''
cybersecurity protocols increasingly difficult to track for these
devices?
Answer. Yes. The supply chain for IoT is complex, and
manufacturers' use of commodity, third party hardware, software, and
subcomponents can lead to ambiguity of ownership for developing and
deploying security updates and vulnerability mitigations. Individual
off-the-shelf software components may be months-to-years old before
being assembled into the final product, bringing old and commonly known
software vulnerabilities along with them.The widespread use of common
components also means that a vulnerability in one component can be
present in many disparate devices. The interdependencies among common
components can leave end-users exposed while the details of remediating
vulnerabilities are worked out between vendors.
Question 4. Please describe in detail the harms associated with
enacting a Federal preemptive privacy bill that excludes security
provisions. Does a Federal breach notification requirement need to be
included in any Federal privacy legislation that is considered?
Answer. Data security is fundamental to privacy and failure to
include it in privacy legislation will be harmful. First, it's
important to be precise about what we mean when we refer to data
security. In the context of privacy legislation, ``data security'' is a
requirement to protect personal information--however ``personal
information'' is defined in the legislation. This is an affirmative,
not an implied, obligation for covered entities to provide reasonable
technical, administrative, and physical safeguards to protect personal
information from unauthorized access or accidental breach. In this
context, data security does not encompass the security of data or
systems that have nothing to do with the personal information protected
by the privacy legislation.
Failure to incorporate data security provisions into privacy
legislation risks harm to consumers, businesses, and the U.S. approach
to data protection law. These harms will be especially severe if a
Federal bill preempts state privacy laws, which include laws requiring
security of personal information, without establishing a Federal data
security standard that is at least as strong as the status quo.
Consumers: Consumers will be harmed because of the increased
risk of unauthorized access or accidental breach of personal
information. All Americans should be provided reasonable
security for their personal information, but state and sectoral
Federal laws only provide consumers with highly uneven data
security protection dependent on sector and geography. Only
half of U.S. states currently have data security laws, and
while many share common ``reasonable practices and procedures''
language, the state laws vary (for example: some apply only to
certain entities, like financial institutions or government
contractors). At the same time, Federal privacy legislation
that preempts state data security laws without establishing a
robust Federal data security standard would harm consumers by
stripping away existing safeguards. Breach and theft of
personal information are major drivers of consumer privacy
concerns. These events are generally a failure of security, not
other privacy principles such as choice, transparency, access,
or use limitations. While the other privacy principles are
important, consumers will continue to suffer harmful breaches
without broad adoption of reasonable security for personal
information. Establishing a robust requirement of security for
personal information as part of Federal privacy legislation
would provide consistent baseline protection for consumers,
many of which do not have such protection at the state level,
without scrapping the safeguards that are in place.
Businesses: A failure to include data security provisions in
Federal privacy law would be detrimental to businesses as well.
The patchwork of data security laws makes compliance more
difficult for businesses of all sizes, especially those with
limited resources. Regulatory enforcement for data security
based on concepts of unfairness or duties of care provide less
certainty for businesses than an affirmative requirement for
reasonable security. Businesses benefit can be harmed by the
security failings of other businesses--such as the spread of
malware from one entity to another, or automated denial-of-
service attacks targeting services on which many businesses
rely--and businesses benefit with other businesses implement
strong security to resist these attacks. In addition,
businesses are harmed by loss of consumer trust due to
perceptions of poor security following well-publicized data
breaches of personal information. Establishing a harmonized and
consistent standard of data security will improve security
outcomes by setting expectations across the ecosystem,
streamline compliance with security obligations, and help
rebuild consumer trust in privacy protection.
US approach to data protection: A ``comprehensive'' privacy
law that lacks security requirements would be a negative shift
that brings the U.S. approach to data protection out of step
with historical precedent and foreign privacy regimes. Nearly
every major Federal privacy law includes an express data
security or confidentiality requirement, such as COPPA, HIPAA,
GLBA, and the Privacy Act. This is also true of several non-US
privacy frameworks, such as the EU's GDPR and Canada's PIPEDA.
(Note: although the California Consumer Privacy Act of 2018
(CCPA) did not include data security provisions, California
already had data security laws in place prior to enactment of
CCPA.) Data security has long been considered to be fundamental
to privacy, going back to the Privacy Act and the OECD Fair
Information Practice Principles. A Federal privacy overhaul
that lacked data security would fall short of existing
protections, make the U.S. an outlier with modern privacy laws
abroad, and risks setting a precedent that weakens the current
concept of privacy rights as inclusive of requirements to
secure data.
Breach notification should be considered separately from data
security requirements and need not be incorporated in privacy
legislation. Data security should not be confused with a requirement to
notify consumers of a breach. Breach notification has distinct
implementing language which does not expressly require reasonable
security for personal information. Breach notification requirements
only apply after a breach has occurred, while data security safeguards
are critical to preventing breaches from occurring. The cost and
complexity of breach notification alone does not sufficiently
incentivize good security, as demonstrated by continued occurrence of
severe data breaches caused by poor security in spite of enactment of
breach notification laws in all 50 states. Moreover, as a practical
matter, debates over breach notification can get mired in differences
over the form and timeline for notification.
[all]