November 24, 2020
Congress gave unanimous approval to the IoT Cybersecurity Improvement Act, a law covering all the bases for the security of the Internet of Things. The Act was written with advice from Symantec, Mozilla and BSA | The Software Alliance among others, which contributed a list of considerations including secure development, identity management, patching, and configuration management. The law is perceived as establishing a baseline for IoT devices and products. Manufacturers can choose to release products that do not comply.
Forbes notes that products that don’t comply with the baseline requirements will “predictably have lower prices — but for those who prefer to pay for a higher level of security, there will be at least a series of basic industry standards to which they can refer.” California and Oregon have already passed such security laws but, “the passage of a law at the federal level is a strong incentive to create industry standards.” Passage of the law, of course, depends on President Trump signing it.
Forbes adds that the law “will allow the market to understand the importance of security in this context and that incidents such as the development of botnets using constellations of insecure devices or the exploitation of vulnerabilities in specific installations could, at the very least, become more isolated and difficult to carry out.” The European Union also “has initiatives under development at various stages aimed at creating reference frameworks with regard to IOT security.”
The Register reports that the IoT Cybersecurity Improvement Act, introduced this last March, “asks America’s National Institute of Standards and Technology (NIST) to come up with guidelines for Internet of Things devices and would require any federal agency to only buy products from companies that met the new rules.”
The bill “also requires the General Services Administration — the arm of the federal government that sources products and comms for federal agencies — to come up with guidelines that would require each agency to report and publish details of security vulnerabilities, and how they resolved them, and coordinate with other agencies.”
It praises Congress’ bill for the fact that it “has managed to keep its fingers out of things it knows nothing about by leaving the production of standards with the experts, using federal procurement to create a de facto industry standard.” One of the bill’s imperfections is that “companies will still be able to produce products that don’t meet the new standards and so there will continue to be insecure products aimed at consumers at lower prices, pretty much guaranteeing that cybersecurity is going to continue to be a major problem for the Internet of Things.”
The law also doesn’t address “how and when devices are updated to deal with emerging security holes.” If the president signs the bill, “it will start taking effect next year.” Although it’s not a “full solution,” The Register opines, “its passing is cause for celebration: a federal, nationwide approach is going to be more effective than a series of state laws.”