[iot-discussion] Proposed US legislation
"Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would: Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities. Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality. Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government. Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines. Require each executive agency to inventory all Internet-connected devices in use by the agency." https://www.warner.senate.gov/public/index.cfm/pressreleases?id=06A5E941-FBC... The legislation does not try and define “things” and instead uses the term “Internet-connected devices”. I think this is a good approach. It is though limited to devices purchased by the Federal government and so does not include devices bought by companies and/or consumers. Various US agencies are seen as having a role. Which would be the equivalent agencies in the EU? Gordon
Hi Gordon, Based on this points, I think it's a very prudent and reasonable piece of policy. I suppose the relevant institutions within the EU would be the European Commission and perhaps Europol. Best, -Michael __________________ Michael J. Oghia Independent #netgov consultant & editor Belgrade, Serbia Skype: mikeoghia Twitter <https://www.twitter.com/MikeOghia> *|* LinkedIn <https://www.linkedin.com/in/mikeoghia> On Fri, Aug 4, 2017 at 4:00 PM, Gordon Lennox <gordon.lennox.13@gmail.com> wrote:
"Specifically, the *Internet of Things (IoT) Cybersecurity Improvement Act of 2017* would:
- Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities. - Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality. - Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government. - Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines. - Require each executive agency to inventory all Internet-connected devices in use by the agency."
https://www.warner.senate.gov/public/index.cfm/pressreleases?id=06A5E941- FBC3-4A63-B9B4-523E18DADB36
The legislation does not try and define “things” and instead uses the term “Internet-connected devices”. I think this is a good approach.
It is though limited to devices purchased by the Federal government and so does not include devices bought by companies and/or consumers.
Various US agencies are seen as having a role. Which would be the equivalent agencies in the EU?
Gordon
_______________________________________________ iot-discussion mailing list iot-discussion@ripe.net https://lists.ripe.net/mailman/listinfo/iot-discussion
I would assume Europol's role is limited up to the point it turns into criminal acts that warrant investigation and prosecution. From a European perspective I assume this would mostly fit ENISA's mandate in respect to (critical) infrastructure stability. Groet, MarcoH -- Sent from a small touch screen, apologies for typos
On 4 Aug 2017, at 16:03, Michael Oghia <mike.oghia@gmail.com> wrote:
Hi Gordon,
Based on this points, I think it's a very prudent and reasonable piece of policy. I suppose the relevant institutions within the EU would be the European Commission and perhaps Europol.
Best, -Michael __________________
Michael J. Oghia Independent #netgov consultant & editor
Belgrade, Serbia Skype: mikeoghia Twitter | LinkedIn
On Fri, Aug 4, 2017 at 4:00 PM, Gordon Lennox <gordon.lennox.13@gmail.com> wrote: "Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:
Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities. Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality. Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government. Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines. Require each executive agency to inventory all Internet-connected devices in use by the agency." https://www.warner.senate.gov/public/index.cfm/pressreleases?id=06A5E941-FBC...
The legislation does not try and define “things” and instead uses the term “Internet-connected devices”. I think this is a good approach.
It is though limited to devices purchased by the Federal government and so does not include devices bought by companies and/or consumers.
Various US agencies are seen as having a role. Which would be the equivalent agencies in the EU?
Gordon
_______________________________________________ iot-discussion mailing list iot-discussion@ripe.net https://lists.ripe.net/mailman/listinfo/iot-discussion
_______________________________________________ iot-discussion mailing list iot-discussion@ripe.net https://lists.ripe.net/mailman/listinfo/iot-discussion
To comment on what Gordon wrote, I think the choice of saying for example "procured by the federal government" etc is simply because of what power the legislator have. In many MS of EU one could probably say "public sector" and not only federal level. But it may differ between MS. Regarding Europol, I think they only act as proxies between police in the various MS. They do not take action on their own. And regarding ENISA, well, we have the struggle between COM and ENISA and I personally think it would be COM that make statements. That said, this is most certainly much more a trade issue than IT or even security. So Gordon, who knows trade? paf On 4 Aug 2017, at 16:26, Marco Hogewoning wrote:
I would assume Europol's role is limited up to the point it turns into criminal acts that warrant investigation and prosecution.
From a European perspective I assume this would mostly fit ENISA's mandate in respect to (critical) infrastructure stability.
Groet,
MarcoH -- Sent from a small touch screen, apologies for typos
On 4 Aug 2017, at 16:03, Michael Oghia <mike.oghia@gmail.com> wrote:
Hi Gordon,
Based on this points, I think it's a very prudent and reasonable piece of policy. I suppose the relevant institutions within the EU would be the European Commission and perhaps Europol.
Best, -Michael __________________
Michael J. Oghia Independent #netgov consultant & editor
Belgrade, Serbia Skype: mikeoghia Twitter | LinkedIn
On Fri, Aug 4, 2017 at 4:00 PM, Gordon Lennox <gordon.lennox.13@gmail.com> wrote: "Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:
Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities. Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality. Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government. Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines. Require each executive agency to inventory all Internet-connected devices in use by the agency." https://www.warner.senate.gov/public/index.cfm/pressreleases?id=06A5E941-FBC...
The legislation does not try and define “things” and instead uses the term “Internet-connected devices”. I think this is a good approach.
It is though limited to devices purchased by the Federal government and so does not include devices bought by companies and/or consumers.
Various US agencies are seen as having a role. Which would be the equivalent agencies in the EU?
Gordon
_______________________________________________ iot-discussion mailing list iot-discussion@ripe.net https://lists.ripe.net/mailman/listinfo/iot-discussion
_______________________________________________ iot-discussion mailing list iot-discussion@ripe.net https://lists.ripe.net/mailman/listinfo/iot-discussion
_______________________________________________ iot-discussion mailing list iot-discussion@ripe.net https://lists.ripe.net/mailman/listinfo/iot-discussion
I agree. The US federal government buys a lot of kit and so may have an effect on the market. They also have a small set of bodies / agencies - OMB, Homeland Security, NIST - who can be tasked in this particular case. This is not the case in the EU. MS do the purchasing. But “trade” tends to mean "international trade" and that is “complicated". I think we are not there. I can expand if required. But briefly. Everybody - everybody! - has supplied kit with vulnerabilities. So it is cool to accept broken stuff from local - NA / EU - suppliers but say we will not buy any stuff from certain other countries? And anyway your smartphone was manufactured where exactly? ;-) Gordon
On 4 Aug 2017, at 19:31, Patrik Fältström <paf@frobbit.se> wrote:
To comment on what Gordon wrote, I think the choice of saying for example "procured by the federal government" etc is simply because of what power the legislator have. In many MS of EU one could probably say "public sector" and not only federal level. But it may differ between MS.
Regarding Europol, I think they only act as proxies between police in the various MS. They do not take action on their own. And regarding ENISA, well, we have the struggle between COM and ENISA and I personally think it would be COM that make statements.
That said, this is most certainly much more a trade issue than IT or even security.
So Gordon, who knows trade?
paf
Love this discussion. Similar discussions going on on IEEE policy lists and at recent DEFCON/Blackhat. Id be the last one to say govt should get too involved (having worked inside before) but I have seen some encouraging efforts like those out of US Federal Trade Commission (FTC) in the form of funded contests for upgradeable IoT devices. ..and NIST/FISMA/OMB guidance on government procurement. Although the later seems a bit less effective that one may think given a continued lack of awareness re: DNSSEC (a requirement for USG procurement) with comments like …”hey I thought we didn’t need dnssec anymore…” Sigh… Thank you for this discussion. -Rick From: iot-discussion [mailto:iot-discussion-bounces@ripe.net] On Behalf Of Gordon Lennox Sent: Saturday, August 5, 2017 12:36 PM To: Patrik Fältström <paf@frobbit.se> Cc: iot-discussion@ripe.net Subject: Re: [iot-discussion] Proposed US legislation I agree. The US federal government buys a lot of kit and so may have an effect on the market. They also have a small set of bodies / agencies - OMB, Homeland Security, NIST - who can be tasked in this particular case. This is not the case in the EU. MS do the purchasing. But “trade” tends to mean "international trade" and that is “complicated". I think we are not there. I can expand if required. But briefly. Everybody - everybody! - has supplied kit with vulnerabilities. So it is cool to accept broken stuff from local - NA / EU - suppliers but say we will not buy any stuff from certain other countries? And anyway your smartphone was manufactured where exactly? ;-) Gordon On 4 Aug 2017, at 19:31, Patrik Fältström <paf@frobbit.se<mailto:paf@frobbit.se>> wrote: To comment on what Gordon wrote, I think the choice of saying for example "procured by the federal government" etc is simply because of what power the legislator have. In many MS of EU one could probably say "public sector" and not only federal level. But it may differ between MS. Regarding Europol, I think they only act as proxies between police in the various MS. They do not take action on their own. And regarding ENISA, well, we have the struggle between COM and ENISA and I personally think it would be COM that make statements. That said, this is most certainly much more a trade issue than IT or even security. So Gordon, who knows trade? paf
The European Commission - DG CNECT - has been doing stuff in this area for some time: https://ec.europa.eu/digital-single-market/en/internet-of-things You can get a feel for their focus from the following: << A potential obstacle for the achievement of a single market for the IoT has to do with issues linked to the capacity to handle a large diversity and very large volumes of connected devices, and the need to securely identify them and be able to discover them so that they can be plugged into IoT systems. In this context it is important to promote an interoperable IoT numbering space for a universal object identification that transcends geographical limits, and an open system for object identification and authentication. Some aspects of numbering are already addressed in the 2016 review of the EU telecoms rules <https://ec.europa.eu/digital-single-market/en/connectivity-european-gigabit-society>. >> I am not sure to what extent the Internet naming and numbering folk are involved. Or maybe some people just take it for granted that a “thing” ought to have a “sim”? And maybe also 5G connectivity? ;-) See also the IERC (European IoT Research Cluster): http://www.internet-of-things-research.eu Gordon
On 7 Aug 2017, at 22:33, Richard Lamb <richard.lamb@icann.org> wrote:
Love this discussion. Similar discussions going on on IEEE policy lists and at recent DEFCON/Blackhat. Id be the last one to say govt should get too involved (having worked inside before) but I have seen some encouraging efforts like those out of US Federal Trade Commission (FTC) in the form of funded contests for upgradeable IoT devices. ..and NIST/FISMA/OMB guidance on government procurement. Although the later seems a bit less effective that one may think given a continued lack of awareness re: DNSSEC (a requirement for USG procurement) with comments like …”hey I thought we didn’t need dnssec anymore…” Sigh… Thank you for this discussion. -Rick
On 7 Aug 2017, at 22:33, Richard Lamb <richard.lamb@icann.org> wrote:
"upgradeable IoT devices"
While I completely see the point, after all it is base requirement for anything further. I also get very uncomfortable with this strict focus on the technical properties. Personally think there should be much more focus on the human factor and the (management) decisions made. What you really need is those updates to be developed and installed in a timely matter and time and time again it turns out that it is the failure of exactly that process that causes issues. Still on the fence whether this can only be solved by hard regulation and liability or whether we as industry can still create enough of a cultural shift to “do the right thing” under our own momentum. Marco
On 8 Aug 2017, at 16:01, Marco Hogewoning wrote:
Still on the fence whether this can only be solved by hard regulation and liability or whether we as industry can still create enough of a cultural shift to “do the right thing” under our own momentum.
Require just like in other environmental discussions (glass recycling etc) that the manufacturers present a responsibility/management process for the whole lifecycle of the "thing", and we will be done. Including destruction, recycling of material etc. paf
Groet, MarcoH -- Sent from a small touch screen, apologies for typos
On 9 Aug 2017, at 07:59, Patrik Fältström <paf@frobbit.se> wrote:
On 8 Aug 2017, at 16:01, Marco Hogewoning wrote:
Still on the fence whether this can only be solved by hard regulation and liability or whether we as industry can still create enough of a cultural shift to “do the right thing” under our own momentum.
Require just like in other environmental discussions (glass recycling etc) that the manufacturers present a responsibility/management process for the whole lifecycle of the "thing", and we will be done. Including destruction, recycling of material etc.
paf
Yups, such a solution would ultimately be the thing to have. You are right in that at the meta level this is just a sustainability issue. Big question, would the current IG eco system be up to the task of defining the requirements, have the different stakeholders implement their part of the solution and in the end collectively provide enough incentive for the system to be (self) enforced. And if that is not the case, how likely would a multi-lateral solution be? And more importantly, how to ensure we at least can give input to that process, we are after all the experts. Oh and of course when we do get this invite, what are we going to say and is there any chance we coordinate ourselves to a coherent strategy. Sounds like there is still enough to talk about, fancy a trip to Leeds? Groet, MarcoH -- Sent from a small touch screen, apologies for typos
I agree that at least requiring an audited SDLC (software development lifecycle) plan might be useful (like we created for dnssec root ops). However, besides the auditor cost$, beware the “designed by committee” problem. Ive had good and bad experiences here but bad for those coming out of IGOs – sometimes the result is a camel and not a horse. -Rick From: Marco Hogewoning [mailto:marcoh@ripe.net] Sent: Wednesday, August 9, 2017 12:41 AM To: Patrik Fältström <paf@frobbit.se> Cc: Richard Lamb <richard.lamb@icann.org>; iot-discussion@ripe.net Subject: Re: [iot-discussion] Proposed US legislation Groet, MarcoH -- Sent from a small touch screen, apologies for typos On 9 Aug 2017, at 07:59, Patrik Fältström <paf@frobbit.se<mailto:paf@frobbit.se>> wrote: On 8 Aug 2017, at 16:01, Marco Hogewoning wrote: Still on the fence whether this can only be solved by hard regulation and liability or whether we as industry can still create enough of a cultural shift to “do the right thing” under our own momentum. Require just like in other environmental discussions (glass recycling etc) that the manufacturers present a responsibility/management process for the whole lifecycle of the "thing", and we will be done. Including destruction, recycling of material etc. paf Yups, such a solution would ultimately be the thing to have. You are right in that at the meta level this is just a sustainability issue. Big question, would the current IG eco system be up to the task of defining the requirements, have the different stakeholders implement their part of the solution and in the end collectively provide enough incentive for the system to be (self) enforced. And if that is not the case, how likely would a multi-lateral solution be? And more importantly, how to ensure we at least can give input to that process, we are after all the experts. Oh and of course when we do get this invite, what are we going to say and is there any chance we coordinate ourselves to a coherent strategy. Sounds like there is still enough to talk about, fancy a trip to Leeds? Groet, MarcoH -- Sent from a small touch screen, apologies for typos
That is assuming you want a horse of course (sorry ;-) From: iot-discussion [mailto:iot-discussion-bounces@ripe.net] On Behalf Of Richard Lamb Sent: Wednesday, August 9, 2017 9:27 AM To: Marco Hogewoning <marcoh@ripe.net>; Patrik Fältström <paf@frobbit.se> Cc: iot-discussion@ripe.net Subject: Re: [iot-discussion] Proposed US legislation I agree that at least requiring an audited SDLC (software development lifecycle) plan might be useful (like we created for dnssec root ops). However, besides the auditor cost$, beware the “designed by committee” problem. Ive had good and bad experiences here but bad for those coming out of IGOs – sometimes the result is a camel and not a horse. -Rick From: Marco Hogewoning [mailto:marcoh@ripe.net] Sent: Wednesday, August 9, 2017 12:41 AM To: Patrik Fältström <paf@frobbit.se<mailto:paf@frobbit.se>> Cc: Richard Lamb <richard.lamb@icann.org<mailto:richard.lamb@icann.org>>; iot-discussion@ripe.net<mailto:iot-discussion@ripe.net> Subject: Re: [iot-discussion] Proposed US legislation Groet, MarcoH -- Sent from a small touch screen, apologies for typos On 9 Aug 2017, at 07:59, Patrik Fältström <paf@frobbit.se<mailto:paf@frobbit.se>> wrote: On 8 Aug 2017, at 16:01, Marco Hogewoning wrote: Still on the fence whether this can only be solved by hard regulation and liability or whether we as industry can still create enough of a cultural shift to “do the right thing” under our own momentum. Require just like in other environmental discussions (glass recycling etc) that the manufacturers present a responsibility/management process for the whole lifecycle of the "thing", and we will be done. Including destruction, recycling of material etc. paf Yups, such a solution would ultimately be the thing to have. You are right in that at the meta level this is just a sustainability issue. Big question, would the current IG eco system be up to the task of defining the requirements, have the different stakeholders implement their part of the solution and in the end collectively provide enough incentive for the system to be (self) enforced. And if that is not the case, how likely would a multi-lateral solution be? And more importantly, how to ensure we at least can give input to that process, we are after all the experts. Oh and of course when we do get this invite, what are we going to say and is there any chance we coordinate ourselves to a coherent strategy. Sounds like there is still enough to talk about, fancy a trip to Leeds? Groet, MarcoH -- Sent from a small touch screen, apologies for typos
Enisa is "centre of expertise for cyber security”. They give “advice". But its advice is not binding. It is for others to make legislation or actually take action. You will though now be aware of the conference they are organising. Gordon
On 4 Aug 2017, at 16:26, Marco Hogewoning <marcoh@ripe.net> wrote:
I would assume Europol's role is limited up to the point it turns into criminal acts that warrant investigation and prosecution.
From a European perspective I assume this would mostly fit ENISA's mandate in respect to (critical) infrastructure stability.
Groet,
MarcoH
Well it is a piece of legislation rather than policy. ;-) But I like the style. We will have to see though if it is adopted and with what changes. I don’t think though that the Commission could propose similar legislation. Too many differences between how the US works and the EU. EuroPol could be involved I guess if somebody used a vulnerability to commit a crime. Think WannaCry? But Europol would not be there to deal with vulnerabilities. Gordon
On 4 Aug 2017, at 16:03, Michael Oghia <mike.oghia@gmail.com> wrote:
Based on this points, I think it's a very prudent and reasonable piece of policy. I suppose the relevant institutions within the EU would be the European Commission and perhaps Europol.
Best, -Michael
participants (5)
-
Gordon Lennox -
Marco Hogewoning -
Michael Oghia -
Patrik Fältström -
Richard Lamb