Senate Passes IoT Cybersecurity Improvement ActLegislation Awaits President's Signature to Become Law
Despite the post-election chaos in Washington, the U.S. Senate took a step forward this week on IoT security.
The chamber unanimously passed without amendments the Internet of Things Cybersecurity Improvement Act of 2020, the latest iteration of legislation that's been in the works for three years. It was approved by the House of Representatives on Sept. 14.
The bill will now go to President Donald Trump to be signed into law - the first to address IoT.
Two states already have IoT legislation. California's law - SB-327 - which went into effect in January, forbids the sale of devices that don't have reasonable baseline security measures. Oregon's IoT law, which also became effective in January, is similar to California's.
The legislation marks a step forward in securing IoT devices purchased by the government. U.S. agencies have growing fleets of IoT devices that are used for many purposes, including tracking assets, monitoring ships and controlling access to buildings.
Setting security standards for IoT devices deployed by the government is an obvious first step to securing the billions of devices that will join the internet in the next couple of years, says Brad Ree, CTO of the consultancy ioXt and board member at the ioXt Alliance, a trade group dedicated to securing IoT devices.
"It is great to see American leadership in IoT security," Ree says. "As the largest economy on the world, we cannot be passive in securing our networks."
The new law, once signed by the president, will require government agencies to only procure devices that meet minimum information security requirements. The National Institute for Standards and Technology will be required to publish minimum standards for aspects such as secure development, identity management, patching and configuration management.
"It is great to see American leadership in IoT security. As the largest economy on the world, we cannot be passive in securing our network."
—Brad Ree, ioXt Alliance
NIST is already well ahead in that area. In May, it published NISTIR 8259A, which covers a core baseline of cybersecurity controls that devices should support. It also finalized baseline security recommendations for IoT device manufacturers in NISTIR 8259.
The legislation also requires that NIST develop a program to collate data on vulnerabilities and disseminate that information, a key measure to ensure that IoT devices are kept up to date.
Harley Geiger, director of public policy for the security vendor Rapid7, writes in a blog post that the legislation is "arguably the most significant U.S. IoT-specific cybersecurity law to date, as well as the most significant law promoting private sector adoption of coordinated vulnerability. IoT security is widely acknowledged as a global priority, and vulnerability disclosure processes are fundamental security practices. So passage of the bill should be seen as a very positive step forward for cybersecurity and the security community."
Manufacturers Improving. Slowly.
Security experts have warned that IoT products, ranging from cameras to door locks and routers, can be turned into potent weapons for distributed denial-of-service attacks.
The most glaring examples of IoT failures is Mirai, the botnet code that in September 2016 infected millions of routers and CCTV cameras.
The compromised devices were then used for devastating DDoS attacks, including against DNS provider Dyn, which caused many services to go offline (see Mirai Botnet Pummels Internet DNS in Unprecedented Attack).
Compromised IoT devices also pose risks for data theft and privacy invasions. IoT manufacturers are slowly improving their security efforts, but researchers continue to find glaring security holes (see How an IoT Door Lock Actually Provided a Way In).
Ree says while some manufacturers are doing a good job building secure products, the pending new law "helps reduce the noise being created by companies who are cutting corners for short-term gains."