March 12, 2019
Congress introduced the Internet of Things Cybersecurity Improvement Act yesterday, in an effort to position legislative power behind securing connected devices. Defense Intelligence Agency director Lieutenant General Robert Ashley told lawmakers last year that IoT devices are considered one of the “most important emerging cyberthreats” to national security. Without a national standard for IoT security, we need to rely on steps taken by individual companies. The legislation, which was first introduced in 2017, would require security standards for IoT devices used by the federal government.
“Connected devices are expected to boom to 20.4 billion units by 2020, but they don’t all have the same levels of security,” reports CNET. “Hackers often target IoT devices that don’t have built-in security, leading to problems like default passwords and vulnerabilities that can’t be fixed.”
“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” explained Senator Mark Warner (D-Virginia).
Initially, the proposed legislation would require security standards only for IoT devices sold to the federal government, but lawmakers hope that improving standards for such a large customer would impact the market as a whole.
If the legislation passes, “the burden of setting security standards would fall on the National Institute of Standards and Technology (NIST), and all devices purchased by the federal government would then be forced to comply with NIST’s guidelines,” according to Gizmodo.
“The bill is not like California’s SB 327, the country’s first IoT security law, which passed last September,” notes CNET. “California’s law requires specific security measures that device makers have to adhere to, like getting rid of default passwords and requiring users to generate their own passwords before allowing device access.”