興味深い=>The reverse cascade: Enforcing security on the global IoT supply chain - In-Depth Research & Reports by Nathaniel Kim, Trey Herr, and Bruce Schneier
こんにちは、丸山満彦です。
IoT機器等のセキュリティを確保することは社会における今後の重要な課題の一つだと思いますが、その実装をどのように行えば良いのかはよくよく考える必要があります。その回答への一つのヒントになると思うのが、サイバーセキュリティ分野で長く活動されているBruce Schneierさんも関わっているペーパ↓です。
・2020.06.15 The reverse cascade: Enforcing security on the global IoT supply chain -
IoTデバイスは価格競争が厳しく、その要素となる部品を作っている事業者が海外になることもあり、目に見えないセキュリティについては単に市場原理に任せていてもサプライチェーン全体でセキュリティの確保が難しいが、販売事業者に規制をかければ、上流に遡って規制が効くだろうという考え方だろうと思います。
他の分野でも似た考え方はあるとは思いますので、実装手法としてはありだろうと思います。
厳密には違いますが、紛争鉱物に関する規制や、輸入事業者が代位責任を負うことになっている製造物責任法に似た発想があるかもしれませんね。。。
このペーパでは家庭用 WiFiルータを例に取り上げていますが、推奨事項として次の4つを挙げています。
- 取締りを明確にする
- ベースラインを選択する
- 優れたセキュリティ製品についてラベルをつける
- 標準の作成と同盟国との協力する
セキュリティの社会への実装というのは、外部不経済を如何に内部化するかということだと思うのですが、たの分野の手法がやくに立つこともあると思います。ということもあり、このペーパは興味深いです。
4. Recommendations
IoT security is a pressing national security issue, as these devices increasingly permeate homes and lives. The home Wi-Fi router is a good example of the IoT security challenge, and helps to illustrate the reverse cascade in action. Implementing this approach requires a handful of steps in the policy community and industry.
Clarity on Enforcement: While the FTC has successfully leveraged its authority to police unfair or deceptive trade practices to go after firms with poor security practices, this is a slow process requiring demonstration of harm. The Senate Commerce Committee should make a small, but important, change to Section 5(a) of the FTC Act, adding “unsafe acts or practices” to the current statute’s provision for “unfair or deceptive acts or practices.” Together with the DealerBuilt, LabMD, and D-Link precedents, this should clarify FTC’s enforcement authority on cybersecurity issues, and allow for action prior to the imposition of harm where practices are demonstrably unsafe in a lab environment or based on expert consensus.
Pick a Baseline: The linchpin of the reverse cascadefor IoT is an international, or at the least broadly recognized, set of standards for the secure design and manufacturing of IoT devices. These standards will need to encompass a variety of different product types and manufacturing stages. To avoid excessive fragmentation, it would be desirable for this recognized baseline, or framework, to permit the inclusion and relative cross-compatibility of specific standards. The earlier portion of this paper suggested several candidates, but additional endorsement by US and EU cybersecurity agencies would help elevate and focus on one. The Cybersecurity and Infrastructure Security Agency of the US Department of Homeland Security together with NIST and the EU Agency for Cybersecurity (ENISA) play important, if somewhat differing, roles in their respective cybersecurity policy apparatuses. Agreement from both agencies that a single IoT security standard was their focus, and an adequate guide for secure design and manufacturing, would support efforts such as the reverse cascade to bring pressure on non-expert distributors and IoT firms alike. The Cyberspace Solarium Commission’s proposal for a National Cybersecurity Certification and Labeling Authority (NCCLA) would fit well with this recommendation. A future NCCLA would be the logical entity to pick up and endorse such an international standard, as well as taking on responsibility for supporting its continued development over time.
Create a Label for Good Security Practices: There are frequent debates about how to better leverage the consumer marketplace to reward good security practices. A label for adherence to security standards under the baseline mentioned would be a useful foundation for this proposal and related efforts to improve consumer decision-making about secure products and services. A recent survey by a cybersecurity firm found that nearly three quarters of consumers expected their IoT devices to be secured by the manufacturers, with 87 percent believing that it is the manufacturers’ responsibility to do so. 49 A future NCCLA, or an existing agency like NIST, could create a simple labeling scheme for the selected international standard—creating a second source of pressure on distributors and, thereby, manufacturers. Properly labeled products could help mobilize consumers against insecure alternatives, filling the gap while FTC enforcement actions work to conclusion against non-compliant manufacturers. Rather than require complex evaluation and auditing, the use of a single standard would allow standardized technical assessment of new products to assign a suitable label per this scheme. This would avoid unnecessary demand on specialized technical skillsets, and permit the existing healthy market of consulting and compliance firms to support audits in line with this label.
74% of consumers expect their IoT devices to be secured by the manufacturers
A recent survey by a cybersecurity firm found that nearly three quarters of consumers expected their IoT devices to be secured by the manufacturers, with 87 percent believing that it is the manufacturers’ responsibility to do so.
“Survey: Consumer IoT Customers Expect Manufacturers to Embed Security in Devices,” Karamba Security (blog), December 8, 2019, https://www.karambasecurity.com/blog/2019-12-08-consumer-iot-survey.
Align Standards and Collaborate with Allies: To prevent manufacturers or distributors from jurisdiction hopping, the United States and key allies in the EU should make it a priority to align on an appropriate international security baseline and coordinate enforcement actions. This is not an inconsiderable challenge, since the EU organizes its efforts to coordinate national activities on consumer safety and competition differently than the United States. A good starting point would be for the FTC to collaborate with the EU’s Directorate General for Competition Policy and other national government agencies as appropriate, to drive an IoT security-enforcement working group. 50 It will take time to converge these and other agencies’ theories of action, especially moving in advance of demonstrated harm to the public. The earlier this coordination starts, the better.
Comments