[HN Gopher] U.S. Government Finally Gets Serious About IoT Security
___________________________________________________________________
U.S. Government Finally Gets Serious About IoT Security
Author : samizdis
Score : 46 points
Date : 2021-03-18 19:49 UTC (3 hours ago)
(HTM) web link (spectrum.ieee.org)
(TXT) w3m dump (spectrum.ieee.org)
| ipnon wrote:
| Cyber security should be seen as integral to national security as
| an army or navy. A cyber force is as necessary in the 21st
| century as a space force.
| marshmallow_12 wrote:
| I would argue that it's orders of magnitudes _more_ necessary
| than a Space Force. after decades of relatively slow
| advancement, i fail to see why it 's vital in 2021 to dedicate
| an entire branch of the military to space. An area which they
| have virtually no access to. OTOH, cyber warfare is very real,
| available and probably more effective then anything short of
| nuclear warfare.
| PeterisP wrote:
| The problem with that is that practical cyber security is
| essentially about the "structural soundness" of a huge
| infrastructure that's mostly civilian and mostly private, about
| the resilience of private company internal systems and consumer
| products - a "cyber force" (no matter how strong or large) has
| neither authorisation nor practical ability to come in the
| servers and systems of every important private organization
| (some large, some quite small - e.g. municipal water
| infrastructure orgs with less than a single full time IT
| person) and change them so that they'd be more defensible.
| _-david-_ wrote:
| There is already a cyber force. It is called Cyber Command
|
| https://en.m.wikipedia.org/wiki/United_States_Cyber_Command
| Nicksil wrote:
| https://en.wikipedia.org/wiki/United_States_Cyber_Command
| Rebelgecko wrote:
| A unified command is different than an actual branch of the
| military
| ethbr0 wrote:
| Cyber _anything_ isn 't the solution.
|
| The solution is best practices, succinctly expressed, regularly
| updated, and loosely expressed but tightly enforced over years.
|
| Because tomorrow's device environment is not bought today. It's
| bought today-and-every-day-for-the-past-30-years.
|
| And securing the entire environment is the key goal.
| midasuni wrote:
| IoT, the S stands for security.
| oars wrote:
| XD
| psychlops wrote:
| This law delegates to the NIST any guidelines. The guidelines
| recommended can be found here:
|
| https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdf
|
| My casual quick read did not see any manufacturers being held
| liable for security breaches. It's not clear to me how serious
| the USG is being if there is still no fault for the ongoing mass
| breaches of privacy.
| vuln wrote:
| It's all theatre... Absolutely no teeth.
| ryandrake wrote:
| Yup, the doc seems to merely make optional recommendations,
| without enforcement, and only apply them to new devices (not
| ones already in the field). This is the USA's way to "get
| serious" about something. It's a nothingburger.
| systemvoltage wrote:
| NIST cannot write and enforce law. They can only make
| recommendations.
| ryandrake wrote:
| That's kind of the problem though. "Getting serious"
| apparently means punting the problem to a standards body
| that can't write or enforce law.
| PeterisP wrote:
| However, once some recommendations written as standards,
| and understood and at least partly implemented by some
| manufacturers, it would be quite straightforward for
| other laws to prohibit sales to consumers or import of
| certain product categories unless they meet those
| standards - and it would be quite crazy to pass such
| restrictions before the standards have been made and
| discussed and tweaked, they take work and time to become
| reasonable.
|
| So assigning resources and specific organization to
| define such standards is the way to go even if there's no
| enforcement scheduled yet.
| joe_the_user wrote:
| _My casual quick read did not see any manufacturers being held
| liable for security breaches._
|
| Liability as security panacea keeps come up here. It's kind of
| ridiculous imo.
|
| Electrical components, for example, aren't made safe by
| liability but by standards. And given there's no set way anyone
| knows how to manufacture secure components, it's hard to come
| up with a "you should have known" standard for liability.
| bdamm wrote:
| Liability guidance is effective at being clear about who
| needs to pay for security. An example of where this is
| effective is the rollout of chip-and-pin credit cards. Only
| when retailers became liable for forgery due to the "weakest
| link" liability clause put forward by Mastercard and Visa did
| they become motivated to deploy card terminals that could do
| chip-and-pin. And fraud has been significantly reduced as a
| result[1].
|
| [1]: https://usa.visa.com/visa-
| everywhere/blog/bdp/2019/05/28/chi...
| rectang wrote:
| There will always, always be entrepreneurs who gamble that
| they won't get caught, or that they as individuals can cash
| out early end up money ahead even if the company gets caught
| and goes down in flames.
| williesleg wrote:
| Yay! Now I can trust everything again!
___________________________________________________________________
(page generated 2021-03-18 23:00 UTC)