I’ve been asked if, and if so, what type of cyber regulation is needed.  Here are some thoughts:

I do think carefully thought out regulation is required.  Too much or too specific laws would hamper industry.  But basic safety standards should exist.  Here’s one example of a first stab at universal cyber safety:  http://www.ul.com/cybersecurity/

Perhaps there should even be a new organization to lead this effort.  The problem is there are many disparate efforts currently.  IAD at the NSA does security testing.  CERT does testing.  Various other labs, universities, etc. do testing.  But ultimately the manufacture should show that they have followed best practice.  They need to do proper testing and use the right components (crypto, updated libraries, etc.).

Sometimes cost is raised as a reason for not doing security.  I disagree.  If a smart device (thermostat etc.) costs 4-9% more because of safety/security – I’m good with that.  This cost might even slow adoption a touch, in favor of security.  I’m good with that.  If someone wants to upgrade an old thermostat and it’ll cost $108 USD rather than $100 USD – because of best practices, I assume most would be OK with that.

There is still time to get this right.  We need basic guidance (assuming technologies will change over time):

  1. Proper software practices and testing, which include
    1. Static code analysis
    2. Security oriented runtime testing
    3. Yearly 3rd party review (code audit and system pentest)
  2. Secure communications and data retention
    1. Encryption
  3. A secure update plan
    1. Devices should be able to update securely WHEN (not if) bugs are found
      1. Include the ability to do both software and firmware updates
  4. Privacy assurances
    1. The company should not be storing, tracking, or marketing consumer data without explicit user knowledge
    2. And companies should not be sharing that data with government or law enforcement without proper warrants.
  5. Basic system hardening
    1. Stop hardcoding credentials and backdoors in firmware that cannot be changed by end users

    2. Stop using default credentials.  Generate them on install or force the consumer to provide credentials

    3. Remove unnecessary services used for debugging devices

Any clear violations of these should be punishable by appropriate fines – as in HIPPA, PCI, and auto safety.  Note: strict anti-hacking regulation that would limit a security researchers’ ability to test, reverse, etc. is not what this is about.  This is about making software safer.  Also, I’m not talking about cyberwar regulation: that subject deserves another blog at another time.

Cyber Regulation – Software Security