US lawmakers are still hoping to make the IoT a safer place with the reintroduction of an IoT cybersecurity bill.
The IoT Cybersecurity Improvement Act of 2019 is a bipartisan effort to drive better protection measures into connected devices. If passed, it would source recommendations from the National Institute of Standards and Technology (NIST) for the secure development, identity management, patching and configuration of IoT equipment.
Companies could ignore the recommendations of course, but that's where the Bill's second major clause comes in: if they do, the federal government won’t buy their kit.
Under the legislation, the Office Of Management and Budget (OMB) would require federal agencies to check devices against its own guidelines, produced from the NIST recommendations, before buying them.
The Bill takes a different approach to California's IoT security legislation SB-327, which comes into force on January 1 next year. That law defines its own “reasonable guidelines” for security, including guidance around device authentication.
This is always a dangerous approach, firstly because lawmakers are often not technicians and don’t always have sufficient in-house expertise. Secondly, changing the law is a lot more difficult than changing external guidelines produced by technical experts. The federal legislation would require NIST to review its guidelines every five years.
While some praised SB-327 as a good first step, cybersecurity experts warned that it it was too vague, and focused too heavily on adding security features rather than prohibiting common existing flaws.
On the other hand, SP-327 had a wider scope, focusing on all IoT devices sold in California. Will a Chinese developer of insecure kids' smart watches care much about reworking them to align with the federal guidelines? Probably not.
Still, government procurement will motivate many IoT device manufacturers to examine their security more thoroughly. Industry figures and organizations came out in support of the Bill.
“As IoT devices increasingly bring greater productivity and quality of life to consumers and businesses across sectors, we must be proactive in addressing the unique security considerations they bring,” said Tommy Ross, senior policy director of the Software Alliance.
This isn’t the Bill’s first rodeo. Senator Mark Warner, who is behind this latest bill, first introduced it in 2017, but it didn’t get very far. Hopefully, it will enjoy more success the second time around.
The topic of Cyber Physical/IoT will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cyber Physical/IoT here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
