The IoT Cybersecurity Improvement Act of 2019
Cybersecurity Crisis Training: Stakeholder Press Conference Exercise
Purpose: This exercise is designed to give you practical experience in handling real-life cybersecurity threats or attacks for their organization. Through this exercise, you will better understand how the types of cyber-attacks described in class are applied, take a shot at forming policy solutions, and sharpen you communication skills.
Deliverables: Prepare a sample press packet. This press packet should include the following items:
Press Release (1 page)
Short technical background sheet (1-2 pages)
• This section should describe in more detail the technical issues of the problem at hand. It may also include pictures and diagrams.
• Frequently Asked Questions (1 page)
• This section should anticipate questions other stakeholders or the media would ask in response to the problem and should provide your organization’s answers.
Read the material found via the links below. Additional research on stakeholder positions is strongly suggested as well. You may use any resource you deem necessary to prepare your statement, press kit, and for Q&A.
There are two important stakeholder roles in this cybersecurity crisis situation. You may choose to take on one of two different roles:
• Private Vendors of Internet of Things Devices
• U.S. Government
Scenario: On Friday October 21st, a series of IoT DDoS attacks caused widespread disruption of legitimate internet activity in the US. This is an increase trend with IoT devices and BotNets.
The bipartisan Internet of Things Cybersecurity Improvement Act of 2019, introduced 03/11/2019, follows a similar bill that stalled in the previous Congress. As before, the goal is to ensure that all government agencies are operating under the same set of security guidelines when they buy IoT devices, which have a wide range of civilian and military uses.
Under the legislation, the National Institute of Standards and Technology would issue recommendations on the development, configuration, identity management and patching of IoT devices. The Office of Management and Budget would then “issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years,” according to the news release. Vendors would have to meet those guidelines to sell their devices to the government.
Your assignment is to explore this incident further, using your research to present it from the perspective of your assigned stakeholder. Your goal is to hold a press conference which explains the controversy and your stakeholder’s future plans or suggested policy changes in response to it.
Sources and Additional Reading:
1. 10 things to know about the October 21 IoT DDoS attacks
2. How IoT Devices are Being Weaponized for a DDoS Attack
3. IoT And DDoS Attacks: A Match Made In Heaven
4. How an IoT DDoS warning system helps predict cyberattacks
5. The IoT Cybersecurity Improvement Act of 2019