The IoT Cybersecurity Improvement Act of 2020 is now federal law, meaning that US government “smart devices” will be subject to a new and more stringent set of security standards.
Sponsored by a bipartisan coalition consisting of Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) along with Senators Mark Warner (D-VA) and Cory Gardner (R-CO), the terms of the bill apply to any IoT device purchased with government money. In addition to establishing new mandatory minimum security standards for these devices, the new IoT cybersecurity bill requires that these standards and policies be updated at least once every five years.
IoT cybersecurity act aims to shore up supply chain vulnerabilities
The new IoT cybersecurity bill does not spell out all of the new security standards; this responsibility goes to the National Institute of Standards and Technology (NIST) to develop, while the Office of Management and Budget (OMB) is tasked with reviewing current information security policies and ensuring that they stay consistent with NIST guidelines. NIST and OMB are also tasked with creating new vulnerability reporting guidelines, including a new standard for reporting by government contractors. The two agencies will convene to update standards, guidelines and policies periodically.
Federal agencies will not be allowed to acquire IoT devices that do not meet NIST’s baseline security standards. However, the IoT cybersecurity bill includes a waiver process for devices that meet certain criteria: those that are necessary for national security or that are required for research are two primary examples.
The IoT cybersecurity bill comes in response to a longstanding state of generally poor security in smart device manufacture, something that has been exploited even more ruthlessly than usual as of late as the Covid-19 pandemic causes all types of cyber crime to spike. Since IoT devices have become available the industry has been plagued by a lax attitude toward security; some of it due to lack of understanding of how damaging the compromise of these devices can be, some of it simply owed to cost-cutting and market pressures. The end result has been a great deal of internet-connected smart devices that either have insufficient protection from hacking or have no ability to update when vulnerabilities are discovered.
There has been a 100% increase in IoT device takeovers in 2020; these devices now represent 32.72% of all infected mobile and WiFi network components, up from 16.17% last year. Well aware of the tendency of these devices to be vulnerable, cyber criminals are targeting network scans to look for public-facing smart devices to compromise. Edgard Capdevielle, CEO of Nozomi Networks, adds: “Nozomi’s 2020 OT/IoT Threat Landscape Report found that In the first six months of this year, hackers used IoT botnets and shifting ransomware tactics as their weapons of choice for targeting IoT devices in operational networks. With more than 5.8 million enterprise and automotive IoT devices expected to be connected to the Internet this year according to Gartner, this new law will help make IoT security a top priority.”
Government agencies have to consider not just the devices that are used internally, which may be tucked away behind a secure network, but also the entirety of the federal third-party contractor supply chain that now spans over four million companies. The government has weathered a number of high-profile “vendor compromise” incidents of this nature in recent years, the hack of security vendor SolarWinds being the biggest and most current example.
Focus on IoT security by design
Whatever policies come out of NIST will face considerable natural obstacles in real-world implementation, however. The bill calls for a focus on “security by design,” which would appear to mandate the acquisition of devices that are manufactured with this level of security in mind. There is simply a general shortage of these sorts of devices available on the market in many product categories, with the young IoT industry focused much more heavily on competing on cost and rapid innovation. The existing supply chain is also built on millions (if not tens of millions) of these devices, making replacement a task that is potentially too expensive and disruptive to operations.
Observers have also raised concerns over the inclusion of waivers in the IoT cybersecurity bill; the language used appears to be broad enough to make it possible to sneak through a variety of insecure devices with a little creativity. However, language in more recent versions had been restricted as compared to the version initially introduced to the House (which allowed for waivers in any situation “appropriate to the function of the covered device,” something that was clearly ripe for abuse). As of this writing the final text of the bill has yet to be posted publicly by the Library of Congress.
Efforts to regulate IoT cybersecurity have been ramping up around the world recently as the US federal government is not unique in having to cope with this embedded threat. This includes within the United States, as digital privacy leader California has a bill in the pipeline (SB-237) that would require device manufacturers in the state to implement “reasonable security features appropriate to the function of the device.” And while the EU’s GDPR does not directly address IoT security at a manufacturing level, legislation being considered in the United Kingdom would require similar security features. If passed, it might lead to the standards being applied beyond UK borders. Yaniv Nissenboim, Vice President of Vdoo, added: “We also expect the trend to spread to state governments (most have already introduced or passed IoT cybersecurity legislation) and then immediately onto private adopters and users. Companies that fail to demonstrate compliance might find themselves shut out of lucrative target markets for their IoT devices at some point … We expect similar regulations and standards to emerge outside the US as well. Singapore has already launched a national rating system for connected devices’ cybersecurity, and other nations will follow. This is an expected reaction of regulators to the increasing threat globally.”