From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.taht.net (mail.taht.net [IPv6:2a01:7e00::f03c:91ff:feae:7028]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 992083B2A4; Sat, 19 Jan 2019 09:17:16 -0500 (EST) Received: from dancer.taht.net (unknown [IPv6:2603:3024:1536:86f0:eea8:6bff:fefe:9a2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.taht.net (Postfix) with ESMTPSA id AEF8A21425; Sat, 19 Jan 2019 14:17:14 +0000 (UTC) From: Dave Taht To: David Collier-Brown Cc: bloat , cerowrt-devel@lists.bufferbloat.net, davecb@spamcop.net References: <16465@localhost.localdomain> <6a10f28f-ee62-3fa7-6b86-4cb8884434d5@rogers.com> Date: Sat, 19 Jan 2019 06:16:35 -0800 In-Reply-To: <6a10f28f-ee62-3fa7-6b86-4cb8884434d5@rogers.com> (David Collier-Brown's message of "Tue, 15 Jan 2019 12:34:03 -0500") Message-ID: <87tvi4ohq4.fsf@taht.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Bloat] =?utf-8?q?Off-topic=3A_What_to_Make_of_the_U=2EK=2E?= =?utf-8?q?=E2=80=99s_New_Code_of_Practice_on_Internet-of-Things_Security?= X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Jan 2019 14:17:16 -0000 There should probably be a list for political issues somewhere. I am liking various proposals for improving device security like this and the german router thing (https://www.ccc.de/de/updates/2018/risikorouter ) but missing from all these requirements is "the right to repair" " The code also asks manufacturers to disclose a minimum timeline for software updates and makes provisions for devices or components that cannot be updated through software, noting that the manufacturer can replace them=E2=80=94in fact, under U.K. law they must repair or replace f= aulty products for 6 years." oh, I so wish we had that in the US. But what qualifies as faulty? David Collier-Brown writes: > I'm pleased to have seen this discussion on lawfare, > https://www.lawfareblog.com/what-make-uks-new-code-practice-internet-thin= gs-security > > Instead of proposing frozen, unmaintainable devices, they expect > updates, and note that a major UK retailer pulled an insecure product > because it couldn't be updated. > > --dave > > -------- Forwarded Message --------=20 > > Subject: What to Make of the U.K.=E2=80=99s New Code of Practice on=20= =20=20=20=20=20=20=20 > Internet-of-Things Security=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 > Date: Tue, 15 Jan 2019 10:26:40 -0500=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 > From: Jack Watson <>, Beau Woods <>=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 > > What to Make of the U.K.=E2=80=99s New Code of Practice on Internet-of-Th= ings > Security > > Across the globe, the rapid pace of technology development has made it > difficult to govern emerging tech effectively. Policymakers struggle > with several primary issues, including knowledge of the subject > matter, the potential impact on the pace of innovation, and the rapid > rate of adoption. The United Kingdom=E2=80=99s =E2=80=9CSecure by Design= =E2=80=9D program > intends to meet these challenges, as well as take steps to position > the country as =E2=80=9Cbest place in the world to do digital business.= =E2=80=9D As > Brexit continues, and Britain=E2=80=99s finance sector looks to jump ship, > such a goal is as timely as it is necessary. At its core, the program > will create powerful tools for policymakers, industry, consumers, > retailers, and others. The final U.K. =E2=80=9CCode of Practice=E2=80=9D = for > internet-of-things security released on Oct. 14, 2018 by the > Department for Digital, Culture, Media and Sport in conjunction with > GCHQ=E2=80=99s National Cyber Security Centre offers one of the clearest > policy positions articulated yet by any national government. It sets > out a technically literate policy that will drive manufacturers to > innovate more efficient ways to protect internet-connected consumer > devices, through market and regulatory incentives. > > By its own terms, the code of practice=E2=80=94and, more broadly, the Sec= ure > by Design program=E2=80=94seeks to =E2=80=9Csupport all parties involved = in the > development, manufacturing and retail of consumer [internet-of-things > devices].=E2=80=9D To support this goal, the release is accompanied by > awareness and educational documents, technical standards guidance, and > an implementation plan, all of which show the U.K.=E2=80=99s commitment t= o a > leadership role in securing the internet of things. The fact that the > code is translated into eight languages, including Mandarin, Korean, > French, German and Japanese, is crucial in showing that the U.K. > intends to be a global trendsetter, but it also reflects the global > nature of the markets, supply chains and security threats, as well as > resilience and confidence in consumer internet-of-things devices. A > common or coordinated international approach increases adoption speed, > reduces transactional friction, and increases consumer confidence > across global markets. > > Finally, the implementation plan for the Secure by Design program > demonstrates GCHQ and DCMS know well the current cybersecurity climate > writ large. Like the United States, the U.K. has identified a > significant shortage of trained cyber security professionals. This, > compounded by the rapid development of internet-of-things devices, > rollout of 5G, and other technical advances, means there is a lack of > capacity to protect internet-of-things products and services from > increasingly complex cybersecurity dangers. The U.K. wants to see the > code ensure that devices flooding into homes and companies are > equipped with necessary capabilities for owners to protect > themselves=E2=80=94through voluntary, market-driven measures ideally, tho= ugh > if that fails they will =E2=80=9Cmake these guidelines compulsory through > law.=E2=80=9D Consumer awareness, education, and labelling will empower b= uyers > to make well-informed decisions and give citizens knowledge to take > advantage of these capabilities. Finally, NCSC-sponsored CyberFirst > summer courses will train the next generation of technology > professionals to defend against security threats to internet-of-things > devices. > > What the Code of Practice Is=E2=80=94And What it Isn=E2=80=99t > > Many early criticisms of the code are premised on a superficial > understanding of the program and emerging solutions. At its core, the > code details several positive, practical steps for device manufactures > across the supply chain and product lifecycle. For instance, botnets > like Mirai and others gain their destructive power by taking over > large numbers of internet-connected computers or devices. Steps that > the code recommends, like prohibiting default passwords and keeping > software up to date, limit the speed and scale of a botnet=E2=80=99s grow= th, > thus diminishing their ability to do harm. The code guides > manufacturers away from common patterns of security failure that > create openings for many types of threats, including botnets, and > towards those that tend to be more successful. We outline the top > three recommendations, as well as a few others worthy of note. (The > paragraph numbers used below are from the document itself and do not > necessarily reflect our ranking). > > 1. No default passwords. Passwords are meant to restrict access to > systems only to those who know them. Default passwords, like =E2=80=9Cadm= in=E2=80=9D > or =E2=80=9Cpassword,=E2=80=9D ensure anyone can know them, thus defeatin= g their > utility when defaults are published, well-known, or easily guessable. > Many devices already ship with unique passwords, requiring a change on > first use. Default and common passwords on internet-facing interfaces > (such as Telnet and SSH) allow network worms like Mirai to propagate > very quickly, though improving security of other interfaces also > improves =E2=80=9Csecurity by default=E2=80=9D for internet-of-things sys= tems. > > 2. Implement a vulnerability disclosure policy. As more of the > =E2=80=9Cthings=E2=80=9D around us depend on software and become exposed = to the > internet, more adversaries will take advantage of their flaws. A > coordinated vulnerability disclosure policy invites allies, acting in > good faith, to report these flaws to the manufacturer so they can be > fixed. The device maker has an obligation to acknowledge and address > issues in a timely manner. (The leading international standard for > coordinated vulnerability disclosure, ISO 29147, calls for > acknowledgement in 7 days. And the Code=E2=80=99s additional explanatory = notes > section makes a case for manufacturers to address the issue in less > than 90 days.) > > 3. Keep software updated. Software updates can address bugs and > vulnerabilities once manufacturers know about them. Most > internet-of-things devices have the capability for software updates > today, though laggards still exist. For instance, a major U.K. > retailer removed GPS watches made for children over concerns that they > were insecure and could not be updated. The code goes further and asks > manufacturers to preserve basic functions during an update and that > the update process be secured. The code also asks manufacturers to > disclose a minimum timeline for software updates and makes provisions > for devices or components that cannot be updated through software, > noting that the manufacturer can replace them=E2=80=94in fact, under U.K.= law > they must repair or replace faulty products for 6 years. > > 6. Minimize exposed attack surfaces. The code aims to eliminate > exposure and attack surface where the value to the consumer is > outweighed by the risk associated with the vulnerability. Many devices > already minimize feature sets due to resource constraints. With better > hardware capabilities at lower cost, the trade offs for increasing the > number of exposed services to the internet or taking a default-enable > approach to elective services. > > 9. Make systems resilient to outages. Boosting resilience to outages > will be increasingly important in coming years, as internet-of-things > infrastructure changes, such as migrating to a new domain, end of > life, going out of business, and other circumstances impossible to > predict. Mature design processes include failure-mode analysis to > guide how the device will perform during different environmental or > system failures. This can mean the device notifies the person it=E2=80=99= s in > some kind of degraded mode or that mechanical systems replace > software-driven ones. My Amazon Echo tells me when my internet > connection (or its servers) are out, and internet-connected locks > usually have mechanical keys as backups when connectivity or power are > unavailable. > > 10. Monitor system telemetry data. Mobile phones and apps send masses > of telemetry information back to their developers, who can analyze and > improve the products as well as look for security or safety anomalies. > Microsoft, Apple and Google detect emerging threats against their > products and issue updates to address them, while doing so in a > privacy-neutral way. > > Threats, vulnerabilities and industry practices change over time. The > code of practice is a snapshot in time, meant to be goal- or > outcome-based rather than prescriptive, so organizations can adapt as > necessary while still hitting these objectives. It isn=E2=80=99t meant to > supplant technical standards, but instead the U.K. government has > mapped the code to technical standards for ease of implementation. > > Securing systems may increase cost of doing business, and eventually > the price of consumer goods. On the other hand, buyers and owners > already bear costs for insecurity. Widescale harm from events like > WannaCry and NotPetya greatly escalate those costs, including harm to > third-parties through no fault of their own. In conversation, U.S. and > U.K. retailers have mentioned costs associated with employees > educating consumers and increased rates of return for security issues. > > Manufacturers are in the best position to reduce systemic cost and > risk, as their available options are much greater than those of > owners. Shifting responsibility and costs across the supply chain has > been difficult in the past, without strong financial or regulatory > incentives. The U.K. intends to drive these changes through labeling, > consumer awareness, (if it must) regulation, and (I strongly suspect) > by requiring devices they buy to adhere to the code. > > Crucially, the Department of Digital, Culture, Media and Sport (DCMS) > has made it clear that they do not intend to reinvent the wheel. An > accompanying document maps the code against over 100 documents from > nearly 50 organizations, representing =E2=80=9Cpublished standards, > recommendations and guidance on [internet-of-things] security and > privacy from around the world.=E2=80=9D This is, first and foremost, an e= ffort > grounded in a practical understanding of the problem, the effective > approaches, and what has failed in the past. DCMS know that > manufacturers =E2=80=9Care already implementing a range of standards,=E2= =80=9D and the > mapping document shows how those efforts fit with the code. > > While most of the elements of the code are well understood, some of > the objectives it lays out are only beginning to enter common > practice. Though they have long been technically possible, these > innovative approaches have only recently been needed due to increases > in attacks against internet-of-things devices and buyer pressure for > higher security, largely among retailers and corporate buyers. > Publishing the code will serve to stimulate innovation toward better > capabilities in the hands of more manufacturers, buyers, and owners.=20 > > Most device makers should have no problem meeting the objectives laid > out in the Code within the next couple of years. Several of the > world=E2=80=99s largest manufacturers have already committed to a similar > high-level doctrine called the =E2=80=9CCharter of Trust.=E2=80=9D The ma= nufacturers > most likely to be impacted are those that buy very low cost, low > quality devices from China or elsewhere and repackage them under a > variety of names. These brands tend to exit the market after only a > year or two, replaced by other brands selling nearly identical-looking > products from the same factories, making it hard to enforce > accountability for support. They live on, connected to the internet, > vulnerable and exposed to global accidents and adversaries. This kind > of market confusion drives out better products leaving buyers with low > choice and low quality=E2=80=94a market for lemons. > > Yet the code is not a cure-all for every internet-of-things security > concern. First, it only applies to home, or consumer-grade > internet-of-things devices. Yet similar technologies=E2=80=94and their > associated security risks=E2=80=94have been adopted across automotive, > aviation, maritime, energy, and other sectors. Each of these has > distinct ecosystems, challenges, and leverage points to evaluate if > the U.K. wants to apply the code in those industries. Second, the > unimplemented policies cannot make change, and the Secure by Design > program is light on how the government plans to achieve market > adoption. This will inevitably take resources, focus, and time that > must be allocated amid a turbulent national and global political > landscape. Third, global supply chains and markets demand > international cooperation and collaboration. While policymakers have > shied away from corralling rapidly advancing technologies, such as > internet-of-things devices and 5G, they seem more willing now than > ever before in key regions like North America, Europe, and China. > > *** > > The code is a positive step forward for consumer IoT security and has > positive traction. HP and Centrica have already formally signed on to > the code, and others are likely to follow, given the resources the > U.K. government seems to be putting behind adoption and enforcement. > DCMS contend that at least eight of the code=E2=80=99s guidelines are alr= eady > legally enforceable through the U.K. Data Protection Act and GDPR. > Germany and the EU have begun adopting compatible (though much less > effective) policies, and in the United States, California=E2=80=99s > internet-of-things bill (SB-327) requires manufacturers to equip > internet connected devices with =E2=80=9Creasonable=E2=80=9D and =E2=80= =9Cappropriate=E2=80=9D > security features. (In the deliberations captured in the bill=E2=80=99s > history, the legislature emphasized that security must be both > reasonable and appropriate to the device, and that it=E2=80=99s up to the > device makers to determine that. The code could serve as a good model > for meeting this standard of care for consumer internet-of-things > devices.) Globally, policymakers are reaching for clear guidelines and > implementable solutions, coupled with adverse market pressure for > companies that come up short. > > Most of the internet-of-things devices that ever exist will be > designed in the future. Policies like the U.K. Code of Practice are > meant to be forward-looking, driving innovators toward better > products. Many of the objectives it lays out are commonplace among > moderate- and high-quality devices, even those at low price points. > But the Code will raise the bar for all manufacturers and reduce > susceptibility to cyber security, safety, and privacy issues. And it > will give retailers and consumers a common measuring stick for > comparing devices. > > > _______________________________________________ > Bloat mailing list > Bloat@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bloat