In response to high-profile data breaches and security warnings from the technology industry and independent agencies alike, members of U.S. Congress have been working for years to address security concerns involving Internet-of-Things devices.
Congress recently made significant progress toward greater IoT security in the United States when it enacted (with broad bipartisan support) the Internet of Things Cybersecurity Improvement Act of 2020, which was enacted after it was signed into law by President Donald J. Trump Dec. 4, 2020. Although the new IoT cybersecurity law focuses primarily on the procurement of IoT technology and products by the federal government, it has the potential to create a more uniform IoT security standard across the private sector.
Background on IoT devices
At a high level, the term “IoT device” refers to a physical instrument or device that connects to the internet, can gather and share data about its environment or usage, and has at least one network interface with which an end-user can engage. Examples of IoT devices range from mundane, personal items, like thermostats and vacuums, to devices addressing significant security concerns, like door locks and security cameras. Interestingly, the definition of an IoT device within the new IoT cybersecurity law excludes “conventional” IoT technology and devices, like smartphones and laptops.
According to Statista, there will be more than 75 billion IoT devices in use by 2025, which would constitute a nearly threefold increase from 2019. As we previously state Legislatures, which vaguely require IoT devices to have “reasonable security features” embedded therein. That is to say, organizations can be confident that if they satisfy NIST’s (likely to be) detailed and specific guidance pertaining to IoT security, then they will have also satisfied the more general security requirements issued at the state and local levels. Further, NIST has become a reliable resource for the business sector by issuing sophisticated, timely and practical guidance, much of which includes recommendations furnished by its private sector partners. This history and experience reinforce the likelihood that businesses will seek to comply with NIST’s new IoT security guidance. In short, all these factors have the possibility to serve as a catalyst for (indirectly) compelling a more unified adoption of IoT security standards in the U.S.
Photo by Christian Wiediger on Unsplash