Hard to believe but Congress just approved an IoT security law and it doesn't totally suck
Secure coding, identity management, patching, configuration controls, what madness is this?
Every now and again the US Congress manages to do its job and yesterday was one of those days: the Senate passed a new IoT cybersecurity piece of legislation that the House also approved, and it will now move to the President’s desk.
As we noted back in March when the IoT Cybersecurity Improvement Act was introduced, the law bill is actually pretty good: it asks America's National Institute of Standards and Technology (NIST) to come up with guidelines for Internet-of-Things devices and would require any federal agency to only buy products from companies that met the new rules.
It gives a minimum list of considerations to be covered: secure code, identity management, patching and configuration management. It also requires the General Services Administration – the arm of the federal government that sources products and comms for federal agencies – to come up with guidelines that would require each agency to report and publish details of security vulnerabilities, and how they resolved them, and coordinate with other agencies.
Don't be too shocked, but it looks as though these politicians have actually got their act together on IoT securityREAD MORE
Industry has also got behind the effort - Symantec, Mozilla, BSA The Software Alliance (which includes Apple, Microsoft, IBM, Cloudflare, the CTIA and others) - and Congress has managed to keep its fingers out of things it knows nothing about by leaving the production of standards with the experts, using federal procurement to create a de facto industry standard.
It’s not perfect of course. Companies will still be able to produce products that don’t meet the new standards and so there will continue to be insecure products aimed at consumers at lower prices, pretty much guaranteeing that cybersecurity is going to continue to be a major problem for the internet of things. And the law hasn’t taken on the fundamental issue of how and when devices are updated to deal with emerging security holes.
But this new law does mean that for those looking for good, secure products, there will be a baseline standard across the industry.
Good first step
The legislation was passed unanimously by the Senate and is the biggest piece of legislation on this critical issue: the attaching of millions - billions - of devices to the internet; many of which have poor security.
Assuming the president signs it, it will start taking effect next year - the original timeline of NIST recommendations by September was blown through thanks to Congress doing what it does best - arguing itself into stasis.
But its passing is cause for celebration: a federal, nationwide approach is going to be more effective than a series of state laws (both California and Oregon have already passed IoT security bills).
It is not a full solution. As noted above, it doesn’t require companies or anyone outside the federal government to produce or buy products that meet the new standards. So the market will continue to pump out insecure IoT devices; which in turn will create huge opportunities for botnets and DDoS attacks and data theft and so on.
But this is an essential first step to getting secure IoT in place. Who knows, maybe Congress will surprise us all again and set aside resources to push and promote the importance of buying products that do meet the new standards. Well, we can dream. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust