Hard to believe but Congress just approved an IoT security law and it doesn't totally suck

Secure coding, identity management, patching, configuration controls, what madness is this?


Every now and again the US Congress manages to do its job and yesterday was one of those days: the Senate passed a new IoT cybersecurity piece of legislation that the House also approved, and it will now move to the President’s desk.

As we noted back in March when the IoT Cybersecurity Improvement Act was introduced, the law bill is actually pretty good: it asks America's National Institute of Standards and Technology (NIST) to come up with guidelines for Internet-of-Things devices and would require any federal agency to only buy products from companies that met the new rules.

It gives a minimum list of considerations to be covered: secure code, identity management, patching and configuration management. It also requires the General Services Administration – the arm of the federal government that sources products and comms for federal agencies – to come up with guidelines that would require each agency to report and publish details of security vulnerabilities, and how they resolved them, and coordinate with other agencies.

Someone using a futuristic touchscreen IoT control panel

Don't be too shocked, but it looks as though these politicians have actually got their act together on IoT security

READ MORE

Industry has also got behind the effort - Symantec, Mozilla, BSA The Software Alliance (which includes Apple, Microsoft, IBM, Cloudflare, the CTIA and others) - and Congress has managed to keep its fingers out of things it knows nothing about by leaving the production of standards with the experts, using federal procurement to create a de facto industry standard.

It’s not perfect of course. Companies will still be able to produce products that don’t meet the new standards and so there will continue to be insecure products aimed at consumers at lower prices, pretty much guaranteeing that cybersecurity is going to continue to be a major problem for the internet of things. And the law hasn’t taken on the fundamental issue of how and when devices are updated to deal with emerging security holes.

But this new law does mean that for those looking for good, secure products, there will be a baseline standard across the industry.

Good first step

The legislation was passed unanimously by the Senate and is the biggest piece of legislation on this critical issue: the attaching of millions - billions - of devices to the internet; many of which have poor security.

Assuming the president signs it, it will start taking effect next year - the original timeline of NIST recommendations by September was blown through thanks to Congress doing what it does best - arguing itself into stasis.

But its passing is cause for celebration: a federal, nationwide approach is going to be more effective than a series of state laws (both California and Oregon have already passed IoT security bills).

It is not a full solution. As noted above, it doesn’t require companies or anyone outside the federal government to produce or buy products that meet the new standards. So the market will continue to pump out insecure IoT devices; which in turn will create huge opportunities for botnets and DDoS attacks and data theft and so on.

But this is an essential first step to getting secure IoT in place. Who knows, maybe Congress will surprise us all again and set aside resources to push and promote the importance of buying products that do meet the new standards. Well, we can dream. ®

Similar topics


Other stories you might like

  • Research finds consumer-grade IoT devices showing up... on corporate networks

    Considering the slack security of such kit, it's a perfect storm

    Increasing numbers of "non-business" Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations' threat models.

    According to Greg Day, VP and CSO EMEA of the US-based enterprise networking firm: "When you consider that the security controls in consumer IoT devices are minimal, so as not to increase the price, the lack of visibility coupled with increased remote working could lead to serious cybersecurity incidents."

    The company surveyed 1,900 IT decision-makers across 18 countries including the UK, US, Germany, the Netherlands and Australia, finding that just over three quarters (78 per cent) of them reported an increase in non-business IoT devices connected to their org's networks.

    Continue reading
  • Huawei appears to have quenched its thirst for power in favour of more efficient 5G

    Never mind the performance, man, think of the planet

    MBB Forum 2021 The "G" in 5G stands for Green, if the hours of keynotes at the Mobile Broadband Forum in Dubai are to be believed.

    Run by Huawei, the forum was a mixture of in-person event and talking heads over occasionally grainy video and kicked off with an admission by Ken Hu, rotating chairman of the Shenzhen-based electronics giant, that the adoption of 5G – with its promise of faster speeds, higher bandwidth and lower latency – was still quite low for some applications.

    Despite the dream five years ago, that the tech would link up everything, "we have not connected all things," Hu said.

    Continue reading
  • What is self-learning AI and how does it tackle ransomware?

    Darktrace: Why you need defence that operates at machine speed

    Sponsored There used to be two certainties in life - death and taxes - but thanks to online crooks around the world, there's a third: ransomware. This attack mechanism continues to gain traction because of its phenomenal success. Despite admonishments from governments, victims continue to pay up using low-friction cryptocurrency channels, emboldening criminal groups even further.

    Darktrace, the AI-powered security company that went public this spring, aims to stop the spread of ransomware by preventing its customers from becoming victims at all. To do that, they need a defence mechanism that operates at machine speed, explains its director of threat hunting Max Heinemeyer.

    According to Darktrace's 2021 Ransomware Threat Report [PDF], ransomware attacks are on the rise. It warns that businesses will experience these attacks every 11 seconds in 2021, up from 40 seconds in 2016.

    Continue reading

Biting the hand that feeds IT © 1998–2021