Recently, lawmakers have introduced the 2017 Cyber Shield Act, which would require IoT devices to be labeled with a security grade. The 2017 IoT Cybersecurity Improvement Act was also introduced this year, specifically addressing the security of connected devices purchased by the U.S. government and contractors’ responsibility to maintain this security.
Cyber Shield Act of 2017
The Cyber Shield Act of 2017 was introduced to help the IoT industry focus on making their products more secure through voluntary certification. The act describes a voluntary program that will lead to the establishment of a committee to identify the best practices, methods, procedures, and processes for IoT security.
This is achieved by creating a Cyber Shield Advisory Committee consisting of cybersecurity experts, business representatives from companies of all sizes, government representatives with relevant knowledge, and public interest advocates. The work of the committee will define the benchmarks for security, introduce a way for manufacturers to label their devices with security grading, and make security recommendations accessible to the public. The act also describes a Cyber Shield portal, which will list products certified under the program.
Critics say the act will not be useful in increasing cybersecurity in IoT devices; the time frame by which the committee would convene and finally complete their work would likely result in outdated benchmarks and guidelines, and as a voluntary program, it would be difficult to garner participation. However, the act could succeed in raising awareness of the issue of cybersecurity and how vulnerable many devices are.
Internet of Things infographic. Image courtesy of Intel.
(click image to enlarge)
IoT Cybersecurity Improvement Act
The IoT Cybersecurity Improvement Act of 2017 was introduced to address the security of connected devices purchased by the U.S. government.
The act places the responsibility on the manufacturer or contractor to ensure through written certification that their devices are secured, have no known security vulnerabilities or defects listed in national databases of known vulnerabilities, and can be updated securely by the vendor in the future. The act also stipulates that the contractor must use industry standards and protocols, and does not contain hard-coded credentials for communications, updates, or remote administration. If a security vulnerability becomes known to the contractor, the contractor must notify the government agency that has purchased the device. The contractor must also update, repair, or replace the device in a timely manner once a vulnerability is disclosed.
There are exceptions to the act, such as if the device is severely limited in order to meet the requirements of the act, or for devices that already adhere to greater standards than those required by the act. There appear to be no criminal repercussions if a contractor fails to meet the requirements of the act. While the act solely focuses on federally purchased devices, discussions in the cybersecurity community suggest this could encourage manufacturers to adhere to these standards for general consumer products, as well.
Feature image courtesy of Shutterstock.