December 1, 2016

DHS and NIST Issue Internet of Things Cybersecurity Guidance

In an apparent effort to fight the kinds of cyberattacks like the massive distributed denial-of-service (DDoS) attack that crippled much of the American internet in October 2016, the Department of Homeland Security (DHS) recently released a new set of “strategic principles” for fortifying the rapidly expanding internet of things (IoT) ecosystem.

The purpose of the principles, according to the DHS, is to “provide stakeholders with tools to comprehensively account for security as they develop, manufacture, implement, or use network-connected devices.” Strengthening the security of IoT devices, which according to Secretary of Homeland Security Jeh Johnson, is a “matter of homeland security,” is intended to be part of a larger conversation between industry and government. IoT devices are particularly at risk and prime targets for  attack because of often-poor security practices by device manufacturers and developers, such as hard-coded default passwords and lack of reliable patching and updating.

Against this backdrop, DHS’s strategic principles focus on:

  • Incorporating security in the design phase
  • Promoting security updates and vulnerability management
  • Building on recognized security practices
  • Prioritizing security measures according to potential impact
  • Promoting transparency across the industry
  • Analyzing whether connectivity is required or desirable

DHS suggests best practices for each – for example, DHS recommends that manufacturers give consumers more information and choice about whether and to what extent to connect their devices to networks, and build in controls to permit consumers to disable a device’s network connections when wanted.

According to DHS, the principles represent a “first step” toward a “longer-term collaboration between government and industry.” Indeed, the principles can be seen as part of the DHS’s multi-prong initiative to engage industry in a collaborative effort to address increasingly sophisticated cyberattacks. This initiative includes automated cyber threat indicator sharing, and cyber threat sharing under the Cybersecurity Information Sharing Act – the goal of which is to establish a holistic picture of the threat landscape through enhanced private sector and government information sharing.

Whereas the DHS guidelines provide a high-level security framework, the recent NIST (National Institute of Standards and Technology) guidance provides companies with real technological guidance for better system security practices. NIST Special Publication 800-160, the product of four years of research and released this month, focuses on the trustworthiness of connected devices and lays out in great detail what should be done from an engineering and technological perspective to develop “more defensible and survivable systems.” It addresses each of the “machine, physical, and human components” that comprise systems, and recommends a holistic approach to system security.

Although the DHS and NIST guidance are nonbinding, they will likely influence evolving notions of “reasonable security.” IoT device manufacturers and developers who do not consider the DHS and NIST guidance may be vulnerable to claims that they failed to meet this standard. In other words, the guidance could serve as a de facto standard of care. At a minimum, it means that IoT cybersecurity will be under exceedingly close scrutiny by regulators, the plaintiffs’ bar and the courts.

About the Authors

A partner in the firm’s Business Litigation Group, member of its Data, Privacy and Cybersecurity Practice and Privacy lead resident in the Washington, D.C. office, and former Chief Privacy Officer with the U.S. Department of Homeland Security.

A senior partner and Chair of Goodwin’s Business Litigation Group as well as its Privacy & Cybersecurity Practice.