- Too many IoT devices ship from the manufacturer with vulnerabilities and inadequate ways to update devices once they are deployed.
- The U.S. federal government hopes to establish a security standard through the National Institute of Standards and Technology.
- The U.S. federal government hopes it will be able to positively influence the security of IoT devices through its purchasing power
One of the most powerful tools the federal government has to affect change in the industry is its enormous buying power. When the U.S. federal government demands something to be within the products and services it buys — vendors of those products and services listen.
That's precisely what new U.S. federal legislation, The Internet of Things (IoT) Cybersecurity Improvement Act does. The act passed both the U.S. House of Representatives in September and the U.S. Senate last week.
The Internet of Things (IoT) Cybersecurity Improvement Act requires:
- The National Institute of Standards and Technology to provide recommendations that deal with addressing, at a minimum, secure IoT development, IoT identity management, IoT device security patching, and effective IoT configuration management.
- The Office of Management and Budget to take the recommendations from the National Institute of Standards and Technology and create guidelines for each federal agency, and also provide appropriate revisions to the Federal Acquisition Regulation to implement new security standards and guidelines.
- Require any IoT devices purchased by the federal government to comply with those recommendations.
- Guidelines on vulnerability disclosure and remediation will be created by cybersecurity researchers, industry experts, and the Department of Homeland Security. Development of the guidelines will be led by The National Institute of Standards and Technology.
- Coordinated vulnerability disclosure will be required by contractors and vendors alike so that when vulnerabilities are uncovered, they can be efficiently mitigated.
"While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security," Sen. Warner said in a statement. "I'm proud that Congress was able to come together today to pass this legislation, which will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I urge the President to sign this bill into law without delay."
"The bipartisan Internet of Things Cybersecurity Improvement Act will ensure that the U.S. government purchases secure devices and closes existing vulnerabilities to protect our national security and the personal information of American families," said Congresswoman Robin Kelly, co-chair of the House Tech Accountability Caucus.
Following its passing in the house, Sen. Gardner said that "most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand. We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government's networks."
Reaction around the industry has been positive. Paul Bischoff, a privacy advocate at Comparitech.com, spoke with I.T. Pro and said the move was overdue. "I think it was wise to put NIST, a reputable non-partisan standards body, in charge of drafting guidelines and auditing devices, as opposed to writing fixed standards into law that would only be made obsolete in a few years' time. Although government-level security standards might not be necessary on all devices, it would be helpful for consumers and businesses to know which devices meet NIST's standards," he told the publication.
What is considered an IoT device covered by the bill? According to the law firm Gordon & Rees Scully Mansukhani, writing over at Lexology.com says that the "legislation defines a covered device to include a physical object that is capable of being in regular connection with the Internet or a network that is connected to the Internet, and has computer processing capabilities of collecting, sending or receiving data. It would not include personal cell phones or personal computers. It also exempts devices that are necessary for "national security" or "research purposes."
IoT is a misjudged risk. When many consider IoT security, what comes to their mind are Internet-connected gadgets one would find around the home. But IoT is for big businesses, too, and helps to do everything from delivering healthcare, run manufacturing lines to manage business supply chains. But the more extensive the installed base of IoT devices out there, the larger the attack surface available to malicious actors. There will be 67 billion connected devices by 2025, nearly tripling the current number.
On December 4, The Internet of Things (IoT) Cybersecurity Improvement Act of 2020 reached the President of the United States' desk and was signed into law.