There might be a small silver lining to this grim pandemic season after all — at least when it comes to cyber infrastructure in the United States.
BreakingDefense reported earlier today that the U.S. Congress might push on new legislation around the Internet of Things (IoT) over the next few weeks. Speaking at an AT&T-hosted panel on August 20, executive director of the Cyberspace Solarium Commission, Mark Montgomery, noted that “with the workforce at home [due to the COVID-19 pandemic], household Internet of Things devices — particularly household routers — have become vulnerable,” providing a larger attack surface to the adversary.
The congressionally mandated Solarium Commission was established in 2019 to guide U.S. cyberspace strategy through that year’s National Defense Authorization Act. The name of the Commission is a nod to the 1953 Project Solarium established by then President Dwight D. Eisenhower to examine American policy options in face of Soviet power; the implication here is that America’s cyber challenges are comparable in their importance.
BreakingDefense reports, Montgomery noted “[t]o ensure that the manufacturers of IoT devices would build basic security measures into the products they sell, we thought Congress needed to pass this IoT security law, and the law should focus on known challenges like insecurities and Wi Fi routers, and mandate that these devices have reasonable security measures, such as those that NIST [National Institute of Standards and Technology] has put out.” In May this year NIST published a report on “IoT Device Cybersecurity Capability Core Baseline” which emphasized the need for cybersecurity features to be built into the devices’ hardware and software (device cybersecurity capabilities), and identified technical standards for the same.
In 2017 market research firm Gartner noted that by this year 20 billion devices will be connected to the internet, including household appliances such as “smart” televisions and refrigerators, but also jet engines and cars. From a cybersecurity standpoint, each of these networked devices represent a potential vulnerability, and ingress point. IoT also forms the backbone of growing augmented-reality applications, some with serious security vulnerabilities.
In a 2018 report prepared for the U.S.-China Economic and Security Review Commission, SOSi – a private defense contractor – had noted that China remains keenly interested about IoT vulnerabilities, both to secure its own networks but “almost certainly to collect intelligence, conduct network reconnaissance for cyberattacks, and enhance its domestic surveillance powers.”
As the SOSi report also noted, complicating matters is the fact that China seeks to set technical standards for the IoT and has a clear strategy in order to do so, even when American firms are absent from the norm-setting and standardization process. China’s state media has noted in the past that Huawei has collaborated with China Telecom to integrate 5G and IoT technologies for solutions around smart cities. The effective “internationalization” of such solutions through the Belt-Road Initiative remains a distinct possibility.
U.S. IoT security leadership not only serves vital interests at home, but also stands to offer alternatives to Chinese solutions abroad.