Today, Duo signed a joint letter with Rapid 7, Electronic Frontier Foundation, Center for Democracy & Technology, Global Cyber Alliance, Bugcrowd along with many other companies and individual security researchers in response to the Department of Commerce’s Green Paper, Fostering the Advancement of the Internet of Things (PDF) to support cybersecurity policy in the Internet of Things (IoT) industry.
The Green Paper is important because it will set the general policy agenda and priorities for the Dept. of Commerce on IoT, and the letter we jointly signed is our response to the department’s request for public comment. The main intent of the letter is to ask the Dept. of Commerce to highlight the benefits of actively encouraging IoT providers and operators to develop and implement vulnerability disclosure and handling processes.
Gartner forecasts that 8.4 billion connected things will be in use worldwide in 2017. That’s a 31 percent increase from last year, and the research and advisory firm predicts that number will reach 20.4 billion by 2020. Additionally, Gartner predicts that IoT services are on pace to reach $273 billion in 2017. The demand is growing, the market is growing, which also means the security risks are increasing.
The two main considerations requested in the letter are:
The Green Paper should more clearly explain the benefits of adopting vulnerability disclosure and handling processes to both the IoT device manufacturers as well as the software providers who build the ecosystem within which those devices operate.
IoT security strategies should include vulnerability disclosure and handling processes. Due to the quantity and complexity of connected devices alongside the realisation that there is no such thing as perfect security, it can be difficult for many IoT providers to catch all vulnerabilities prior to their release to market.
That’s why it’s important for IoT tech providers to establish a vulnerability disclosure and handling process in advance of the discovery of any issues in order to help quickly address vulnerabilities when they are disclosed to them by external sources.
Having a clear process in place can also help protect security researchers, giving them a way to communicate their vulnerability findings while reducing the risk of conflict or misunderstanding.
The Green Paper should also contain a commitment that the Dept. of Commerce will continue to work with industry, government and other stakeholders to promote the voluntary adoption of vulnerability disclosure and handling processes by the IoT industry.
The letter also notes that promoting the voluntary adoption of vulnerability disclosure and handling processes is not a discrete task, but an ongoing endeavor. As such, we are recommending that the Dept. of Commerce explicitly commit to working with the IoT industry and the associated stakeholders in an ongoing manner to ensure effective implementation of the guidelines. .
We are proud to be able to contribute to this important conversation and you can view the letter we sent here: Joint Comments on "Fostering the Advancement of the Internet of Things"(PDF)