By Yejin Jang, Forescout Technologies, Inc.
State legislative sessions are underway and there is a noticeable increase in the number of filed bills that address cybersecurity. This isn’t entirely surprising because as of December 2018, the National Conference of State Legislatures reported that 23 states created statewide cybersecurity-focused committees or task forces, and it is logical that regulation or legislation would follow.
Now, policy proposals are moving beyond protecting traditional networked devices like desktops/workstations, and there is increased attention on the security of non-traditional IoT devices. There is also movement to ban specific products that pose a national security threat.
In Congress, both the House and Senate introduced IoT legislation that aims to introduce NIST-recommended standards when the federal government is procuring and deploying IoT (S. 734, H.R. 1668). These standards will likely be based on NISTIR 8228, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.” In California, implementation of an IoT bill will go into effect January 2020. It will require IoT manufacturers to equip their products with “reasonable security features.”
Beyond IoT, there is also legislative movement to ban specific networked or IP-enabled products, which began with the July 2018 Kaspersky ban in the federal sphere. State law in New Hampshire banning Kaspersky products went into effect at the same time. Kaspersky products, however, are not the only products facing a legal ban.
Section 889 of the 2019 National Defense Authorization Act (NDAA) bans federal agencies from procuring, using and “obligating of expending loan or grant funds” to procure “covered telecommunications equipment or services,” which it defines as those produced by Huawei Technologies Company or ZTE corporation and equipment produced by Hytera Communications Corporations (radio transceivers and radio systems), Hangzhou Hikvision Digital Technology Company (video surveillance products), or Dahua Technology Company (video surveillance products and services). State governments should be especially cautious about the inventory of products that fall within this definition because the Federal Communications Commission (FCC) has requested comment on how the NDAA language relates to Universal Service Fund programs, which include E-Rate among others. The anticipated outcome of the FCC’s public notice is a prohibition from utilizing federal funds on the aforementioned products.
Forescout wanted to bring the above information to the attention of state CIOs because security is yet again a top priority, and state CIOs have also identified continuous diagnostics and monitoring (CDM) as the #2 priority under the applications and tools category. The Center for Strategic and International Studies notes in the “Raising the Bar for Cybersecurity” report that CDM can stop 85 percent of cyberattacks. CDM is synonymous to information security continuous monitoring (ISCM), which is defined in NIST 800-137. Essentially, ISCM means knowing what hardware and software is on your network, who made it and what it’s doing (if it’s working), at any and all times. Federal agencies are well into implementation of CDM and Forescout is providing discovery of hardware and software assets (HWAM and SWAM) across almost all of the federal CDM program.
Update: Since this blog was written, President Trump has issued an Executive Order (EO) on Securing the Information and Communications Technology (ICT) and Services Supply Chain on May 15, 2019. The EO speaks to some of the issues mentioned in this blog post re: the security risk of certain ICT devices.