In response to high-profile data breaches and security warnings from the technology industry and independent agencies alike, members of U.S. Congress have been working for years to address security concerns involving Internet-of-Things devices.
Congress recently made significant progress toward greater IoT security in the United States when it enacted (with broad bipartisan support) the Internet of Things Cybersecurity Improvement Act of 2020, which was enacted after it was signed into law by President Donald J. Trump Dec. 4, 2020. Although the new IoT cybersecurity law focuses primarily on the procurement of IoT technology and products by the federal government, it has the potential to create a more uniform IoT security standard across the private sector.
Background on IoT devices
At a high level, the term â€œIoT deviceâ€� refers to a physical instrument or device that connects to the internet, can gather and share data about its environment or usage, and has at least one network interface with which an end-user can engage. Examples of IoT devices range from mundane, personal items, like thermostats and vacuums, to devices addressing significant security concerns, like door locks and security cameras. Interestingly, the definition of an IoT device within the new IoT cybersecurity law excludes â€œconventionalâ€� IoT technology and devices, like smartphones and laptops.
According to Statista, there will be more than 75 billion IoT devices in use by 2025, which would constitute a nearly threefold increase from 2019. As we previously noted, â€œIoT devices are more vulnerable to cyberattacks than traditional connected technology because they often lack the processing power needed to support conventional data and infrastructure protection, such as firewalls and antivirus and antimalware programs.â€� They often contain â€œback doorsâ€� enabling remote access for a variety of purposes (e.g., maintenance and support), which create additional security concerns. Within the U.S., there is no single law governing IoT security across all industries.
New IoT security standards
The primary focus of the new IoT cybersecurity law is to regulate how the federal government procures IoT devices by prohibiting federal agencies from purchasing any such device that fails to meet minimum security standards. The law mandates that the National Institute of Standards and Technology develop, publish and update these security standards and other related guidelines. It also requires these new standards and guidelines to be consistent with NISTâ€™s previous IoT guidance on:
- Identifying and managing security vulnerabilities within IoT devices.
- Securely developing IoT technology.
- Identity management.
- Remote software patching.
- Configuration management.
After NIST publishes these standards and guidelines, the Office of Management and Budget is required to review each federal agencyâ€™s information security policies to ensure they comply with NISTâ€™s IoT security standards and issue its own policies, where necessary, to ensure the federal government is fully aligned with NISTâ€™s IoT security framework.
New process for disclosing security vulnerabilities
One of the more difficult cybersecurity issues that governments confront is how to permit third parties to identify and report security vulnerabilities they discover in the governmentâ€™s information technology environment while ensuring the disclosure itself does not create a new security risk. In turn, the new IoT cybersecurity law requires NIST to issue federal guidelines for â€œthe reporting, coordinating, publishing and receiving of information about a security vulnerabilityâ€� identified in an IT system owned or used by the federal government. Similarly, the law charges OMB, in coordination with the Department of Homeland Security, to â€œdevelop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilitiesâ€� of such information systems, including applicable IoT devices.
Towards a unified IoT security framework
Although the new IoT cybersecurity law does not directly impose security requirements on the private sector, it has the opportunity to serve as the new standard the private sector will broadly use to measure security and assess risk. The law prohibits a federal agency from â€œprocuring or obtaining, renewing a contract to procure or obtain, or using an [IoT] device, if the Chief Information Officer of that agency determines â€¦ that the use of such device prevents complianceâ€� with the aforementioned IoT security and vulnerability disclosure standards and guidelines developed under the law. With some exceptions, these prohibitions apply regardless of the size of the government contract or purchase.
The federal governmentâ€™s significant spending on IT services and solutions, including IoT devices, will certainly incentivize device manufacturers to comply with NISTâ€™s security standards and guidelines to avoid potentially losing a large customer, such as the government, and with it, revenue and profits. Moreover, private sector organizations will likely look to NISTâ€™s standards for guidance when interpreting the requirements of the IoT security laws enacted by state Legislatures, which vaguely require IoT devices to have â€œreasonable security featuresâ€� embedded therein. That is to say, organizations can be confident that if they satisfy NISTâ€™s (likely to be) detailed and specific guidance pertaining to IoT security, then they will have also satisfied the more general security requirements issued at the state and local levels. Further, NIST has become a reliable resource for the business sector by issuing sophisticated, timely and practical guidance, much of which includes recommendations furnished by its private sector partners. This history and experience reinforce the likelihood that businesses will seek to comply with NISTâ€™s new IoT security guidance. In short, all these factors have the possibility to serve as a catalyst for (indirectly) compelling a more unified adoption of IoT security standards in the U.S.
Photo by Christian Wiediger on Unsplash