IoT Cybersecurity Improvement Act Signed Into Law
The bipartisan IoT Cybersecurity Improvement Act was officially signed into law earlier this month, mandating that any IoT device purchased with government funds must meet minimum security standards.
With the Internet of Things (IoT) market expected to grow to over 41 billion devices by 2025, legislators have been under mounting pressure to address a lack of regulation surrounding device security standards.
This lack of security and the potential for attacks has undoubtedly kept this issue on the minds of manufacturers, technology companies, and government agencies. And on December 4, President Trump signed into law a bipartisan piece of legislation, the Internet of Things Cybersecurity Improvement Act of 2020.
Although it only applies to federal government agencies, commentators believe that it’s likely to have far-reaching consequences and impact not only electronic devices procured by the federal government but consumer devices, too.
The federal government’s use of IoT devices is on the rise, such as the use of weather sensors by the Environmental Protection Agency and the use of autonomous surveillance towers deployed at borders by Customs and Border Protection.
An example of how the government taps into IoT technology. Image used courtesy of the United States Government Accountability Office
The bill, which was unanimously approved by U.S. legislators, was developed by consulting with companies like Symantec, Mozilla, and NSA The Software Alliance. It’s based on a list of considerations that IoT devices must cover: secure development, identity management, patching, and configuration management.
The bill specifically focuses on improving the security of federal devices with standards provided by the National Institute of Standards and Technology (NIST). It will cover devices from the initial development stages right through to the final product, ensuring that devices are developed using security-led processes.
NIST Draft Guidance
On December 15, NIST released its draft guidance, offering recommendations comprised of four publications to federal agencies and manufacturers concerning effective cybersecurity for IoT devices. The publications will help address challenges raised in the recently-signed bill and begin to provide the guidance that it mandates.
Ways to identify IoT cybersecurity. Image used courtesy of NIST
Together, the four documents—NIST Special Publication (SP) 800-213 and NIST Interagency Reports (NISTIRs) 8259B, 8259C, and 8259D—form what NIST calls a “unit intended to help ensure government and IoT device designers are on the same page” with federal IoT devices and their cybersecurity requirements.
A Step in the Right Direction
Although the bill is a step in the right direction, commentators say that it only begins to scratch the surface of what needs to be done to protect the IoT industry and its end users.
It’s important to remember that this is a first step that will enable the market to begin to understand the importance of security in the context of the IoT. It will also place additional barriers between systems and attackers who want to take advantage of the existing lack of security.
It’s likely that the bill will serve as a catalyst for future legislative efforts, too. In its current form, the bill doesn’t define the guidelines for security. This is something that will be a pain point for design engineers and manufacturers who need to comply with them and will undoubtedly need to be addressed in the future.
Areas in which federal agencies plan to implement IoT. Image used courtesy of the United States Government Accountability Office
While the bill is a great start and signals that the U.S. government is finally starting to prioritize IoT security, an international effort needs to be put in place for establishing global standards. Such an international effort will help to avoid frictions arising from different legislatures developing and adopting their own cybersecurity regulations.
In addition, a set of synchronized global standards with consistent worldwide enforcement through established certification programs will keep design engineers, manufacturers, tech companies, and other IoT stakeholders accountable for security and provide transparency for all end users.