Will the IoT Cybersecurity Improvement Act be signed by the president? Most security industry experts believe the answer to that question is yes — but which president?
The proposed legislation has bipartisan sponsorship by Reps. Will Hurd, R-Texas, and Robin Kelly, D-Ill. If it becomes law, the act will require the federal government’s use of IoT devices to conform to basic security requirements.
The issue of IoT device security has been with us for many years. Back in 2016, I wrote this blog asking "Should Insecure IoT Devices Be Banned?" One focus at that time was the Mirai botnet bringing down large portions of cyberspace, largely by infecting insecure IoT devices.
The National Institute of Standards and Technology (NIST) has been working on IoT security recommendations for several years, but following their guidance on this topic has been voluntary up to this point.
The explosion of IoT devices globally, along with the serious risk of impact to critical infrastructure and essential networks from cyberattacks and IoT devices, has led to the urgently needed IoT Cybersecurity Improvement Act.
What Will the IoT Cybersecurity Improvement Act Do?
The recent Senate approval of the proposed legislation was greeted by wide media coverage from around the country. Here are several articles of note:
“The bill affirms the risks inherent with accelerated use of internet-connected devices and calls for cooperative efforts between government, industry and academia.
“It also establishes a hierarchy of responsibility for protecting federal agencies against cyberattacks that starts with the executive branch, ‘followed by the Office of Management and Budget [OMB], the Secretary of Homeland Security and the head of each such agency,’ while directing the OMB to oversee the creation of IoT security standards by the National Institute of Standards and Technology (NIST). Federal agencies and suppliers would be required to use only devices meeting prescribed standards and notify agencies of any known vulnerabilities affecting devices used.”
“The IoT Cybersecurity Improvement Act has several different parts. First, it mandates that NIST must issue standards-based guidelines for the minimum security of IoT devices that are owned by the federal government. The Office of Management and Budget (OMB) must also implement requirements for federal civilian agencies to have information-security policies that are consistent with these NIST guidelines.
“Under the law, federal agencies must also implement a vulnerability-disclosure policy for IoT devices, and they cannot procure devices that don’t meet the security guidelines.”
“Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.), co-chairs of the Senate Cybersecurity Caucus, have been backing versions of the legislation since 2017.
“‘While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,’ Warner said in a statement following the vote. ‘I urge the president to sign this bill into law without delay.’
“Gardner added that ‘experts expect tens of billions of devices' to be operating on networks in the coming years.”
“The legislation marks a step forward in securing IoT devices purchased by the government. U.S. agencies have growing fleets of IoT devices that are used for many purposes, including tracking assets, monitoring ships and controlling access to buildings.
“Setting security standards for IoT devices deployed by the government is an obvious first step to securing the billions of devices that will join the internet in the next couple of years, says Brad Ree, CTO of the consultancy ioXt and board member at the ioXt Alliance, a trade group dedicated to securing IoT devices.”
The National Law Review: “Internet of Things Cybersecurity Legislation Clears Congress, Heads to White House For President’s Signature”
“The head of any federal agency is prohibited from 'procuring or obtaining, renewing a contract to procure or obtain, or using an [IoT] device,' if the Chief Information Officer of that agency determines during a required review for 'a contract for such device that the use of such device prevents compliance with the standards and guidelines' developed by NIST. There are three limited grounds for waiver of this requirement — including if the CIO of the agency determines that:
The waiver is necessary in the interest of national security;
Procuring, obtaining, or using such device is necessary for research purposes; or
Such device is secured using alternative and effective methods appropriate to the function of such device.”
I hope President Trump will sign the IoT Cybersecurity Improvement Act into law. This could provide one final cybersecurity accomplishment for the Trump administration after four years which have definitely moved the needle in a positive direction for global cyberpolicy.
If Trump does not sign the act into law, sponsors believe that similar legislation will likely pass early in a Biden administration, but will delay the implementation of needed IoT security controls. A delay will also deny the Trump administration an opportunity to sign an important safety measure into law as a legacy item.
Either way, this legislation has broad bipartisan support. IoT device manufacturers need to take notice of this guidance now and start building in the required protections for what will become the new normal.