Cascading Security Through the Internet of Things Supply Chain

Trey Herr, Nathaniel Kim, Bruce Schneier
Monday, June 29, 2020, 8:01 AM

The “internet of things” supply chain has been a channel for risk into our homes. We can use that same channel to push security back up through the supply chain.

A Nest Learning Thermostat connected to the internet sits on a TV cabinet. (Source: George Lane,; CC BY 2.0,

Published by The Lawfare Institute
in Cooperation With

The “internet of things” (IoT) has been insecure since the first connected refrigerator woke up and asked for more milk. But while having your fridge hacked seems at best amusing and at worst inconvenient, the nightmare scenario is a matter of national security. Imagine hundreds of thousands of smart refrigerators, all with the same default password, hacked to direct a flood of web traffic against key internet servers, paralyzing them. Swap smart fridges for security cameras and DVD players, and you have the Dyn cyberattack of 2016.

At the heart of most home networks, and many industrial ones, is the humble wireless router. The security of these popular hubs is a prominent concern because they form the core of IoT networks. Against the steady drumbeat of major security flaws disclosed in the code running these devices—including several in just the past month—researchers have seen little progress in router security over the past 15 years. Serious vulnerabilities in home Wi-Fi routers can open the door for attackers to gain access to local networks and other connected systems. As the U.S. faces a surge of attacks exploiting the widespread uncertainty and confusion wrought by the coronavirus pandemic, these concerns have become all the more urgent.

Routers exemplify the challenges for IoT security: widening dependence, poor security practices, and manufacturers based around the world beyond the reach of a single jurisdiction.

This issue of jurisdiction is critical. Even with a clear security framework for manufacturers, supported by the kind of congressionally backed enforcement proposed by the U.S. Cyberspace Solarium Commission, most manufacturers in this market are based outside the United States. The IoT supply chain is global, and any policy solution must account for this fact.

In a new paper, we propose to leverage these supply chains as part of the solution. Selling to U.S. consumers generally requires that IoT manufacturers sell through a U.S. subsidiary or, more commonly, a domestic distributor like Best Buy or Amazon. The Federal Trade Commission can apply regulatory pressure to this distributor to sell only products that meet the requirements of a security framework developed by U.S. cybersecurity agencies. That would put pressure on manufacturers to make sure their products are compliant with the standards set out in this security framework, including pressuring their component vendors and original device manufacturers to make sure they supply parts that meet the recognized security framework.

Companies are asking for testable IoT standards that would help them accurately and consistently communicate the safety of the products they sell to customers. Distributors like Target already have internal processes in place to ensure that all products on their shelves comply with relevant safety and quality standards. Efforts like the recent NIST Internal Report 8259 are good candidates for such a framework, preventing the Federal Trade Commission from having to endorse or promulgate its own standards. Other examples, like the Japanese government’s IoT Security Safety Framework, evince welcome concern about the issue but, at present, are too abstract to be enforceable on manufacturing and design processes.

Additionally, a national labeling scheme would help distributors identify compliant products and provide a pathway for consumer pressure on manufacturers. One recent survey found 87 percent of consumers believe it is the manufacturer’s responsibility to secure their IoT products. A labeling scheme would provide another pathway for that sentiment to shape the marketplace. The Cyberspace Solarium Commission’s recommendation for a National Cybersecurity Certification and Labeling Authority would help concentrate market information about good security practices and provide accessible ratings to users. Last month, Carnegie Mellon’s CyLab demonstrated a prototype IoT security labeling scheme, based on several years of work meant to condense key security measures into a concise set of words and images.

These policy tools are not limited to the United States. Earlier this year, Singapore unveiled its own plan for such a labeling scheme for Wi-Fi routers and smart home products, an encouraging sign that this could be a feasible way to remove poorly secured IoT devices from the global market. The U.K.’s Code of Practice presents a similar opportunity to hold retailers and distributors accountable for products they sell, offering 13 security guidelines for IoT manufacturers and service providers. Following a public consultation in 2019, the U.K. government explored a mandatory security labeling scheme, as well as an outright ban of the sale of products that do not adhere to the top three guidelines: no default passwords, implementation of a vulnerability disclosure policy, and regular software updates backed by an end-of-life policy. Building on the U.K.’s work, the European Telecommunications Standards Institute (ETSI) launched its consumer IoT security standard last year, while the EU Agency for Cybersecurity published its Good Practices report outlining baseline security recommendations for the IoT. A proposal from Australia’s IoT Alliance for an independent certification scheme, called Trust Mark, would provide the kind of security labeling we call for.

Any of these efforts could provide an effective candidate for an international security framework, especially if harmonized with a U.S. standard. Cross-national coordination with other countries that have major markets for IoT products is crucial for preventing jurisdiction hopping by manufacturers. Europe is an important partner for such cooperation, given the EU’s recent focus on security standards and certification.

The poor state of IoT security is nothing new, but the growing array of policy initiatives and security standards to address it is a welcome sign. It would be a genuine loss for the public interest if these efforts floundered due to jurisdictional boundaries and the limitations of domestic enforcement. Establishing and harmonizing security standards across borders is an important step toward a more secure IoT ecosystem. The IoT supply chain has so far been a channel for risk into our homes. We can use that same channel to push security back up through the supply chain.

Trey Herr is Assistant Professor of cybersecurity and policy at American University’s School of International Service and director of the Cyber Statecraft Initiative at the Atlantic Council. At the Council his team works on the role of the technology industry in geopolitics, cyber conflict, the security of the internet, cyber safety and growing a more capable cybersecurity policy workforce.
Nathaniel Kim is a recent graduate of the Harvard Kennedy School. He has written on the security and safety challenges of the internet of things as part of his work at the Organization for Economic Cooperation and Development and the Belfer Center for Science and International Affairs.
Bruce Schneier is an internationally renowned security technologist, called a “security guru” by the Economist. He is the New York Times best-selling author of 14 books — including ”Click Here to Kill Everybody”—as well as hundreds of articles, essays and academic papers.

Subscribe to Lawfare