Earlier this month (October 2020) the House of Representatives passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 (the Act) introduced in 2017 by U.S. Senators Cory Gardner (R-CO) and Mark Warner (D-VA) and will now move to the Senate for consideration. The legislation sets minimum security standards for all IoT devices purchased by government agencies.
In a recent article written for the National Law Review by Jeffrey M. Schlossberg, a Principal in the Long Island, New York, Office of Jackson Lewis P.C., he says that despite the tasks that can be accomplished by IoT devices, they remain vulnerable to cyberattack. Currently, there is no national standard addressing cybersecurity for IoT devices. There have been several attempts in recent years to develop a national IoT strategy. For example, in late 2017, a coalition of tech industry leaders released a report that put out a call for the creation and implementation of a national strategy to invest, innovate and accelerate development and deployment of IoT, and stressed the need to enact legislation which would, inter alia, require IoT security measures in a “comprehensive manner.” Further, as far back as 2015, the FTC issued “concrete steps” businesses can take to enhance the privacy and security of IoT for consumers.
Steve Lasky, Editorial Director for SecurityInfoWatch.com (SIW) posed several questions to Brad Ree, CTO of the ioXt Alliance, after this recent House vote to gauge the impact he thought this Bill would have on the security of IoT. Here is our conversation.
SIW: How will this bill improve IoT security for federal devices?
Brad Ree: This bill will improve security in devices in a number of different ways. First, per this bill, the National Institute of Standards and Technology (NIST) will need to provide the security standards based on feedback and input from standards organizations and industry leaders, to be adopted by the device companies which will be the foundation for improving security in connected products.Additionally, this bill implements a disclosure program that requires manufacturers to disclose security vulnerabilities in their devices and how they were resolved for increased transparency to the end-users and goes deeper into the supply chain to hold more stakeholders accountable for security. Both of these factors are critical components of successful security plans and will improve the security of the IoT devices the government will be purchasing.
SIW: Which parts of the bill are most interesting to you?
Ree: A couple of things in the bill stand out to me. The clause for secure development of products is something I found particularly interesting, and something we feel strongly about at the ioXt Alliance. To have secure devices, you need to consider the full supply chain and not just the end result and this bill goes beyond just configuration, identity management, and regular updates and takes into account how the device is developed for better security in IoT products. Also, the fact that this bill has specified that it should be reviewed and revised as necessary every five years, is an important part of keeping up-to-date with the latest technological developments which will allow it to evolve and align with new innovative technology and standards as they are developed.
SIW: Do you think this bill will help advance security for consumer devices?
Ree: Yes, definitely. There is so much crossover between the manufacturers and tech companies working in the consumer and government/commercial space, that this bill will naturally infiltrate the consumer device market. Due to the overlap, it’s not practical for a manufacturer to follow different sets of standards and build two different versions of the same connected products so I don’t think of this bill just for federal device security, but for higher security standards for all connected devices.
SIW: Do you think this bill will pass in the Senate?
Ree: This is a good bipartisan bill that looks safe on paper, so I think it seems likely to pass in the Senate considering how quickly it got pushed through the House. Since it is a way to protect government purchases, I anticipate most people will be on board to push it through.
SIW: What other measures are needed to improve IoT security for federal and consumer devices?
Ree: This bill is a step in the right direction when it comes to security, but there is room for improvement. Currently, there is an abundance of industry and government organizations creating standards to protect devices, so there is a need for harmonized, globally adopted and replicable IoT standards. Introducing and enforcing global standards through trusted certification programs can help end-users have greater confidence that the products they are purchasing are protected.
SIW: What do you think the future of IoT security will look like?
Ree: As industries continue to innovate and produce more connected products, security will remain a key concern for device manufacturers, government organizations and consumers. I think the future of IoT security will emphasize consumer transparency and will have a bigger focus on globally accepted security standards for consumer devices. Due to the success of this bill, I think the public and private sectors will work more closely to ensure all devices are safe and meet security requirements across industries, which will lead to a consumer device bill in the near future.