On the 20th September 2016, the website of IT security journalist Brian Krebs, KrebsOnSecurity.com, was the target of the largest distributed denial-of-service (DDoS) attack seen so far, with traffic peaks of 665 Gigabits per second. This attack was launched by just 24,000 internet connected devices, otherwise known as the Internet of Things (IoT). These were infected by the Mirai malware, which forces the devices to form an illicit network, known as a botnet. The same technique was used in the attack on DNS provider and internet performance manager Dyn of 21 October 2016, affecting services such as Netflix, Amazon, Twitter, and Verizon Communications. This attack used up to 100,000 connected devices to reach peaks of 1.2 Terabits per second of traffic. The underlying problem is that IoT devices are notoriously unsecure and connected to networks with global reach, such as the internet. With no end in sight to the growth of the IoT market, this is a problem that must be addressed.
In the EU, steps are being taken to improve overall network and information security and data security. The General Data Protection Regulation (GDPR), which aims to harmonise and strengthen personal data protection for all individuals within the EU, was adopted on 27 April 2016. The Security of Network and Information Systems (NIS) Directive, which contains security requirements for IT systems of operators and providers of critical infrastructures and services, was adopted on 6 July 2016. Both will take effect in 2018. For the electronic communications sector, which has had its own regime of security requirements for electronic communications networks and services (laid down in several pieces of EU regulation known as the Telecoms Package) since 2009, the European Electronic Communications Code (EECC) is currently under development. The EU communications networks and the network and information systems, as well as the dataflow over those networks, enjoy protection under these regulations.
However, connected IoT devices do not fall under any such security regulation. The security requirements within the Telecoms Package only apply to undertakings providing public communications networks or publicly available electronic communications services. The proposed security requirements in the EECC cover ‘machine-to-machine’ (M2M) services, but not the devices. The EECC stresses the need to facilitate IoT, but says nothing of its security. The NIS Directive only applies to operators of essential services and digital service providers. While the NIS Directive acknowledges (in its Recital 50) that the products of hardware manufacturers and software developers play an important role in the security of network and information systems, it states that they are already subject to their own regime of product liability. However, this regime is primarily concerned with the risks posed by products to physical health and safety of consumers, and on material damages caused by defective products, respectively. This is problematic because this does not, for the most part, cover cybersecurity. More specifically, it does not cover security measures regarding, for example, unauthorized access to IoT devices or malware like Mirai. Currently there is no regulation in the EU containing requirements for hardware manufacturers or software developers concerning the prevention of, and resilience against, cybersecurity incidents of their internet connected products.
On 1 August this year, the Internet of Things Cybersecurity Improvement Act of 2017 was introduced in the United States Congress. The purpose of the Bill is to remedy the current cybersecurity market failure. Often, quite basic security measures lack in IoT products, and the market does not remedy this by itself. This is why regulation is necessary. The Bill lays down several minimal [sic.] cybersecurity operational standards for internet connected devices bought by U.S. Federal agencies, and for other purposes. The Bill contains requirements for clauses that must be included in any contract for the purchase of IoT devices. Vendors of IoT devices must make sure that their devices do not contain any known security vulnerabilities or defects, and do not contain any fixed or hard-coded credentials. The vendors must notify the purchaser of the device or firmware component of any vulnerabilities of which they have become aware for the duration of the contract, as well as offer a timely fix. The vendors must provide that the IoT devices they sell can be patched. There will also be a paragraph on guidelines regarding the coordinated disclosure of security vulnerabilities and defects to and by the vendors. The Bill requires that devices rely on internationally established standards as established by, for instance, the International Standards Organization (ISO) and the National Institute of Standards and Technology (NIST) for compliance.
Even though this US Bill focuses on purchasing contracts, and does not specifically address hardware manufacturers or software developers, this strategy may still serve as an example for the EU.
In the EU, the recently proposed Cybersecurity Act of 13 September 2017 aims to introduce a security certification scheme based on EU and international standards, although it is unclear what this certification will entail and, crucially, it will be voluntary. This certification framework is intended to harmonise cybersecurity certification across the Union.
The US Bill contains requirements which are quite technologically specific. This is something EU security regulation usually tries to avoid. There is good reason why regulation should be as technologically neutral as possible. Due to the rapid development of ICT and IoT, if regulation is too specific, it will quickly become obsolete. However, technological neutrality may not be necessary when the issue has a certain universal validity. Since the specific security issues mentioned in the Bill have been well known for years or even decades, and certain security measures such as patching or making use of credentials are so universally accepted, technological neutrality may in this case be counterproductive.
The term “minimal cybersecurity” in the US Bill may give the impression that the goal is set rather low. But seeing as how many IoT devices come onto the market which do not even contain the most basic security measures, requiring a few specific measures may be a very good start. And with that, a good example for future regulation to fill up the rather large lacuna in the EU cybersecurity regulation landscape.