Also commonly referred to as the IoT for short, the Internet of Things is a term that refers to a massive, interconnected network of literally billions of sensor and “smart” devices, all of which are creating and sharing data with one another at all times. According to one recent study, nearly 20.4 of these devices were already online as of 2020 – a number that is expected to climb to 75 billion over the next five years alone.
With this many personal and professional devices creating this sheer volume of sensitive information on a daily basis, naturally the conversation has turned to what can be done to protect them from hackers and other malicious individuals out to cause as much harm as possible. Such was the case with the recent bipartisan IoT Cybersecurity Improvement Act, sponsored by Representative Will Hurd (R-Texas) and Representative Robin Kelly (D-Illinois). Security experts have already indicated that this is a step in the right direction, as it provides a valuable framework of basic security requirements that will allow the federal government to lead by example moving forward.
The IoT Cybersecurity Improvement Act: Breaking Things Down
At its core, the IoT Cybersecurity Improvement Act is aimed at addressing the issue of establishing security requirements within connected devices for federal procurements.
It requires the following of certain basic best practices from vendors, including but not limited to things like:
- Any IoT devices must be patchable moving forward.
- Devices cannot contain any known vulnerabilities. If vulnerabilities are identified, they must be immediately disclosed.
- The devices themselves cannot contain any hard-coded passwords.
- The devices must also rely on standard security protocols, and outside experts need to emphasize the importance of having vendors disclose what network protocols are in use.
The legislation also empowers OMB, in partnership with the National Institute of Standards of Technology, to single out specific measures that can be used by agencies to keep IoT devices safer. Examples of this include network segmentation, the use of gateways in a particular environment, using containerized operating systems, the use of microservices and more.
The Act has also been praised because, while it does establish modest new device security requirements, it also offers agencies the flexibility to waive these requirements if certain conditions are met. If agencies already employ their own equivalent (or more rigorous) security requirements, or if the industry steps up and develops third party device certification standards, agencies can waive everything in the IoT Cybersecurity Improvement Act at their discretion. To read the Act directly, click here.
Finally, another one of the most important parts of the legislation is that it requires all agencies to maintain a comprehensive inventory of any IoT-powered devices in use. This is critical, as every device on a network is a potential vulnerability just waiting to be exploited by someone who knows what they’re doing. You can’t protect something if you don’t know it exists to begin with, which is why this provision (along with the rest of the legislation) will be invaluable in terms of keeping federal data safe as much as possible moving forward.
All told, the Internet of Things Cybersecurity Improvement Act is an essential first step in taking a stronger and more proactive cybersecurity stance – but it needs to be exactly that, a first step towards something larger and more comprehensive. Whether industries follow in the footsteps of the federal government in the way that they need to is something that experts will be paying close attention to as time goes on.
Internet Law flickr photo by Visual Content shared under a Creative Commons (BY) license
