First introduced in March of 2019, the IoT Cybersecurity Improvement Act of 2019 has now cleared its first hurdle in the House of Representatives and moves on to the Senate for a floor vote. Meant to create a security standard for the government purchase and use of all Internet of Things (IoT) devices, the bill would task the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) with creating more stringent contractor screening and government use requirements if it ultimately passes.
Addressing the gaping IoT cybersecurity hole
IoT cybersecurity is a significant and ongoing problem everywhere, but particularly in the US government due to an almost complete lack of security standards for both government devices and those used by contractors. If passed, the bill would force government agencies to only purchase devices that can meet these newly established internet connectivity standards.
IoT devices are a particular risk as security standards tend to be much lower than they are for phones, tablets and computers. The IoT cybersecurity problem has persisted since these devices were first introduced years ago, but improvements are only sporadic at best while these devices steadily become more ubiquitous and collect a wider range of personal information. Some devices have no security whatsoever or come with a default password that cannot be changed; many have no means of receiving security updates when a vulnerability is discovered. Manufacturers often scrimp on IoT device security because it’s too difficult to establish an architecture for these unique devices or simply because it’s too expensive.
This problem is compounded by federal government procurement policies that tend to require agencies to go with the lowest bidder that is “technically acceptable,” something that becomes an obvious problem with no formal IoT cybersecurity standards in place. The bill would not create new market standards for IoT device security, but would force the government to only purchase from manufacturers that implement adequate measures. However, there is hope that this would create market pressure that in turn would create a general improvement in IoT cybersecurity standards.
The bill must now survive a Senate floor vote and then go to the president’s desk to be signed into law. NIST would be the agency taking point on developing IoT cybersecurity standards, and would review whatever policy it creates every five years. In addition to setting new national security standards, all of the government’s IoT device vendors would have to create a vulnerability disclosure policy.
In favor of an industry-independent initiative, Ellen Boehm, senior director of IoT product management at Keyfactor commented, “Any time there is an initiative around improving cybersecurity for IoT devices, independent of industry, it helps the collective market challenge the current state and think deeper about best practices around encryption and authentication for this growing population of connected things. We frequently hear about hackers who take advantage of weaknesses in IoT security, maliciously taking control of smart home devices for DDoS attacks or changing functionality of medical devices. The only way to improve our security posture is to design a robust security architecture around our entire IoT systems. Guidelines provided by NIST or other standards groups can really make an impact in how we design security into IoT devices from inception and provide a method to manage authentication and encryption around the IoT device data and functionality over time.”
Waivers may cause concerns
However, the IoT cybersecurity bill going before the Senate includes provisions for waivers that have some security professionals concerned. One particular waiver allows for exceptions when “appropriate to the function of the covered device,” broad wording that could be interpreted as a blanket loophole to make use of any sort of internet connected devices regardless of the security standards. The House bill did not include these broad waiver terms, and the bill may be amended to be closer to that form before it is voted on by the Senate.
Some precedent for this bill can be seen in California’s SB 327, the country’s first IoT cybersecurity law. That law is more expansive in that it puts security requirements on all manufacturers of IoT devices located in California, but it also suffers from some wording that is proving to not be adequately forward-thinking. The California bill’s issue is that it defines a secure device solely as one that is password-protected and allows the user to change the password; it does not require devices to allow for patching to address future vulnerabilities that may develop.
More regulations to address increasing IoT cybersecurity risks
A recent research report issued by Congress estimates that there are about 10 billion IoT devices in use today, with this number expected to swell to about 21.5 billion in the next five years. The US government spends tens of billions on these devices and their connectivity solutions each year. Some are in highly sensitive applications: utility grid sensors, patient care equipment at military hospitals, and a wide range of military field applications among other categories that are targets of high interest to hackers. The theft of sensitive information is far from the only risk that poor IoT cybersecurity presents; they can also provide an initial foothold from which attackers can gain greater access to networks.
In addition to the IoT Cybersecurity Improvement Act, lawmakers are attempting to address this considerable security risk with a companion piece of legislation called the “Developing and Growing the IoT Act.” This bill establishes a federal-level working group that would consult with technology industry leaders to assist in establishing the federal IoT security standards.