Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/20/2015
07:20 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

White House's Daniel 'Intrigued' By UL-Type Model For IoT Security

Michael Daniel, the national cybersecurity coordinator and assistant to the President, talks Internet of Things security and recent Executive Orders on intel-sharing and sanctions.

SAN FRANCISCO -- An Underwriters Laboratories-type safety certification could serve as a basic model for driving Internet of Things product security, according to the White House's national cyber security coordinator.

Michael Daniel, special assistant to the President and the nation's cybersecurity coordinator, said in an interview here today with Dark Reading that the Obama administration considers such an industry certification model a good option for driving vendors to secure their increasingly Internet-connected consumer products. "We are very much interested in voluntary models" for this, he said.

He said the UL-style concept is intriguing to him. "A nonprofit consortium that would rate products … I find that model very intriguing and similar in the development" of IoT security and safety, he said. UL -- which tests and certifies appliances for electrical safety -- may not "map completely" with IoT, of course, he said. Meanwhile, some IoT products, such as medical devices, will likely fall under existing safety and security regulations, he said.

Consumers also could be a force for improving IoT security, he said. "It's incumbent … for consumers to drive their concern about [security] in their demand for Internet of Things products," he said. If consumers begin comparing and purchasing wearable fitness devices, for example, for their cybersecurity features, that could help drive the market for more secure products.

On the flip side, the bad guys ultimately may provide the impetus for IoT vendors to build security into their products. "The bad guys will figure out a way to monetize this, and incidents will also spur results" in security, he said.

The Sony hack is an example of how a real-world security incident served as a cautionary tale, according to Daniel. "One of the most interesting effects of the attack on Sony was how many companies now seem to have really focused on" concerns of getting hacked, he said. Daniel said he thinks that's because Sony wasn't an obvious target for PII, nor a critical infrastructure provider: "I had a lot of feedback from CIOs that this drove the point that it could happen to anyone."

The Obama administration's recent EO promoting cyber intelligence-sharing, meanwhile, aims to ensure the sharing of this information is occurring on "multiple axes," Daniel said.

The administration's policy on intel-sharing "flipped the default position in government" on sharing threat intelligence, Daniel said, to sharing it with private industry as well as among agencies. The conduit will be NCIC, the FBI, and the Defense Department, he said.

Trust among all of the participants is important, as is getting value from actually sharing intel, he said.

"The next part is the hard part: the nuts and bolts," Daniel said.

Earlier today, during a Q&A session at the CyberTech 'Securing The Internet of Things' Forum, Daniel said the Obama administration's recent Executive Order for imposing sanctions on cyber criminals and cyber spies was more than two years in the making.

The "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" Executive Order signed by President Obama earlier this month authorizes the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks. But some members of the security industry worry the sanctions could backfire and hurt white-hat security researchers due to some ambiguities in the proposed legislation.

Daniel said the administration said the Treasury Department will be tasked with creating "implementation guidance," and that the administration has been expanding its dialog with the technology industry. "This administration has been very sensitive of the overuse of sanctions … One of the key debates we had in issuing this was whether or not it was an appropriate tool given some of those concerns," he said. "We decided we need to have additional tools in the toolbox to spread the range of responses we could have for addressing real cyber actors causing us harm."

The administration will be "very restrained" in using this authority, he says. "It's really designed to go after those targets which we have no other good tools to get at them. One of the things we wrestle with constantly is the tension between short-term returns with the long-term effects on the ecosystem."

Daniel is scheduled to speak here at the RSA Conference on Thursday, in a session titled "There Are No Domestic Cyber Issues: US & UK Leaders on Global Partnership." 

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Some Guy
100%
0%
Some Guy,
User Rank: Moderator
4/21/2015 | 10:21:46 AM
Simplistic & Shows Ignorance of How UL Works
Way too simplistic! UL is built on 100+ years of experience in a fairly static environment that changes on decade timescales. Can you imagine taking years to respond to a new attack? And even if you gave a device a cyber-UL sticker today, howwould it be protected from future, emerging, new threats? There is a nugget underneath it all that is key -- UL is really driven by the insurance industry. If you install a non-UL device and there is a fire, the insurance company does not have to pay.

To be effective two things will have to happen for IoT cyber-security. First, we need IoT security to be driven as a first-order requirement. It can't be an afterthought in the current IoT gold-rush just to get products working and to market, regardless of the security. Perhaps insurance is the economic vehicle to drive that; strict product liability and lawsuits certainly can be the way, but that takes too long. Legislation to require minimum security features such as immutable HW ID, secure boot, signed code, and application whitelisting would be a great step forward. It's incumbent on all of us in our practices and purchases to insist that IoT have security from the outset and not added 30 years after the fact like the Internet.

Second, cyber-criminals are going to have to be hunted to extinction in the real world, not cyber-space -- think Pinkertons  and what it took to end train robberies in the 19th century (e.g., vs. Butch Cassidy, the Sundance Kid and the Hole-in-the-Wall Gang). Like Yakov Smirnov used to say about old Soviet Russian warning shots: they shoot you and that's warning for the next guy.
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...