In response to high-profile data breaches and security warnings from the technology industry and independent agencies alike, members of U.S. Congress have been working for years to address security concerns involving Internet-of-Things devices.
Congress recently made significant progress toward greater IoT security in the United States when it enacted (with broad bipartisan support) the Internet of Things Cybersecurity Improvement Act of 2020, which was enacted after it was signed into law by President Donald J. Trump Dec. 4, 2020. Although the new IoT cybersecurity law focuses primarily on the procurement of IoT technology and products by the federal government, it has the potential to create a more uniform IoT security standard across the private sector.
Background on IoT devices
At a high level, the term “IoT device” refers to a physical instrument or device that connects to the internet, can gather and share data about its environment or usage, and has at least one network interface with which an end-user can engage. Examples of IoT devices range from mundane, personal items, like thermostats and vacuums, to devices addressing significant security concerns, like door locks and security cameras. Interestingly, the definition of an IoT device within the new IoT cybersecurity law excludes “conventional” IoT technology and devices, like smartphones and laptops.
According to Statista, there will be more than 75 billion IoT devices in use by 2025, which would constitute a nearly threefold increase from 2019. As we previously noted, “IoT devices are more vulnerable to cyberattacks than traditional connected technology because they often lack the processing power needed to support conventional data and infrastructure protection, such as firewalls and antivirus and antimalware programs.” They often contain “back doors” enabling remote access for a variety of purposes (e.g., maintenance and support), which create additional security concerns. Within the U.S., there is no single law governing IoT security across all industries.
New IoT security standards
The primary focus of the new IoT cybersecurity law is to regulate how the federal government procures IoT devices by prohibiting federal agencies from purchasing any such device that fails to meet minimum security standards. The law mandates that the National Institute of Standards and Technology develop, publish and update these security standards and other related guidelines. It also requires these new standards and guidelines to be consistent with NIST’s previous IoT guidance on:
- Identifying and managing security vulnerabilities within IoT devices.
- Securely developing IoT technology.
- Identity management.
- Remote software patching.
- Configuration management.
After NIST publishes these standards and guidelines, the Office of Management and Budget is required to review each federal agency’s information security policies to ensure they comply with NIST’s IoT security standards and issue its own policies, where necessary, to ensure the federal government is fully aligned with NIST’s IoT security framework.
New process for disclosing security vulnerabilities
One of the more difficult cybersecurity issues that governments confront is how to permit third parties to identify and report security vulnerabilities they discover in the government’s information technology environment while ensuring the disclosure itself does not create a new security risk. In turn, the new IoT cybersecurity law requires NIST to issue federal guidelines for “the reporting, coordinating, publishing and receiving of information about a security vulnerability” identified in an IT system owned or used by the federal government. Similarly, the law charges OMB, in coordination with the Department of Homeland Security, to “develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities” of such information systems, including applicable IoT devices.
Towards a unified IoT security framework
Although the new IoT cybersecurity law does not directly impose security requirements on the private sector, it has the opportunity to serve as the new standard the private sector will broadly use to measure security and assess risk. The law prohibits a federal agency from “procuring or obtaining, renewing a contract to procure or obtain, or using an [IoT] device, if the Chief Information Officer of that agency determines … that the use of such device prevents compliance” with the aforementioned IoT security and vulnerability disclosure standards and guidelines developed under the law. With some exceptions, these prohibitions apply regardless of the size of the government contract or purchase.
The federal government’s significant spending on IT services and solutions, including IoT devices, will certainly incentivize device manufacturers to comply with NIST’s security standards and guidelines to avoid potentially losing a large customer, such as the government, and with it, revenue and profits. Moreover, private sector organizations will likely look to NIST’s standards for guidance when interpreting the requirements of the IoT security laws enacted by state Legislatures, which vaguely require IoT devices to have “reasonable security features” embedded therein. That is to say, organizations can be confident that if they satisfy NIST’s (likely to be) detailed and specific guidance pertaining to IoT security, then they will have also satisfied the more general security requirements issued at the state and local levels. Further, NIST has become a reliable resource for the business sector by issuing sophisticated, timely and practical guidance, much of which includes recommendations furnished by its private sector partners. This history and experience reinforce the likelihood that businesses will seek to comply with NIST’s new IoT security guidance. In short, all these factors have the possibility to serve as a catalyst for (indirectly) compelling a more unified adoption of IoT security standards in the U.S.
Photo by Christian Wiediger on Unsplash