i3 - September/October 2019 - 23

The Why and How of the Standard

He says baseline agreements are necessary to assure
security through many devices and components. "The
scariest problem is that some devices get plugged into a
corporate system, which means that if hackers break into
a vendor's server, the effect can then radiate out to other
devices attached to that source," Nelson says. Placing the
protection in the cloud can prevent those attacks.
Jack Cutts, senior director of industry and business intelligence, CTA, recommends that companies leverage the cloud
to protect against DDoS or malware implantation. "Since so
much of our data traverses the cloud when traveling to and
from our devices, the centralized cloud is the logical and costeffective place to scan for malware, to fight malicious bots and
to flag suspicious transactions in real time," Cutts explains.
He also acknowledges the value of cybersecurity specialists
who are "often best-suited to distill lessons learned from
across industry verticals to inform the most holistic views
possible of what the threat landscape looks like."
"The advent of cloud computing combined with the huge
advances in machine learning and artificial intelligence
mean that cybersecurity firms are well place to have sustained, measurable impact," Cutts says.
Diana Volere, chief evangelist at Saviynt Inc., a Seattle
data infrastructure and cloud security firm, agrees that the
cloud offers cybersecurity solutions to combat the vulnerabilities in the rapid expansion of IoT devices. She calls it

11 0 1 0 111 11 0 1 0 111 11 0 1 0 111 11 0 1 0 111 11 0 1 0 111 11 0 1 0 1 0 111 0 11

Padlock & chain: The Lightwriter/Alamy. Hand & key: Blackred/Getty Images.

CTA-2088 standard is an ANSI standard being developed by CTA's R14 committee, Cybersecurity
and Privacy Management. CTA-2088 covers the same IoT device 'core' baseline security capabilities,
such as limiting internal device access to authorized users. This is equivalent to the "what" of this
element of security: What is the expected capability? The CTA-2088 standard goes the next step in
asking "how?" How does a device show this capability? Manufacturers, retailers and assessment groups
need to know the answer to this question. In engineering terms, they need a testable criterion. CTA-2088
expected in late 2019, provides this important additional information.

"fairly disturbing" that the fast acceleration of IoT devices
has meant that companies are "not adopting published
standards and adhering to them."
She cites problems such as manufacturers who do not
source components from reliable manufacturers. "Chips and
technology could be compromised before they hit the
shelves," Volere explains, which means that when they are
plugged into the network, they can cause immense harm.
"The fact that we don't have standards in place is one thing,"
Volere says, but "organizations that are handling personal
data should be aware" of ways to assure protection.
Cynthia Brumfield, a cybersecurity analyst and publisher of
Metacurity, gives a shout-out to ideas that are coming from "a
host of cybersecurity startups that have raised hundreds of millions of dollars to build security into IoT devices. She points to
ventures that seek "to help users better position themselves to
ensure the security of those devices. Even browser makers such
as Mozilla are incorporating guides to IoT device security."
Inevitably the intense efforts of government and industry groups to find solutions to the growing cybersecurity
challenges will generate valuable solutions. The share
goal of "aligned" policies will also face some hurdles - if
only because of the cornucopia of expertise. As the C2
report points out a major challenge may be "how to consider such a wealth of overlapping recommendations and
[decide] which ones to follow."

WHO OVERSEES IT ALL?
Legislators in at least 45 states are examining
how they can assure individuals and organizations with cybersecurity protections, especially for connected devices, financial and
medical information and government services, according to the National Conference of
State Legislatures. A few states have adopted
laws, notably California's Internet of Things
regulations which go into effect on January 1, 2020. The new law (SB-327) requires all
connected-device makers to equip products

C TA . t e c h / i 3

i3_0919_FEATURE_Cybersecurity.indd 23

with "reasonable security features or features
to protect the device and any information
contained therein from unauthorized access,
destruction, use, modification or disclosure."
The prospect of dozens of state or regional regulations poses a challenge, even to
those who are not eager for any national regulation of smart devices. CTA's approach to
cyber policy is to allow technical, consensusdriven standards and guidelines to lead the
industry, rather than regulators. Regulatory

requirements that differ by state or jurisdiction would inhibit security, says CTA, which
seeks to promote global harmonization versus fragmentation of security specifications.
CTA's policy is to support "consensusbased, voluntary standards and tools that
promote adaptive device security," and
encourages policymakers to "focus on the
baseline security approach and industry-led
efforts that are not prescriptive to manufacturers in a single jurisdiction or region."

SEPTEMBER/OCTOBER 2019

9/9/19 7:08 PM

https://cta.tech/News/i3.aspx?Page=1

i3 - September/October 2019

Table of Contents for the Digital Edition of i3 - September/October 2019