Hard to believe but Congress just approved an IoT security law and it doesn't totally suck

Secure coding, identity management, patching, configuration controls, what madness is this?

Every now and again the US Congress manages to do its job and yesterday was one of those days: the Senate passed a new IoT cybersecurity piece of legislation that the House also approved, and it will now move to the President’s desk.

As we noted back in March when the IoT Cybersecurity Improvement Act was introduced, the law bill is actually pretty good: it asks America's National Institute of Standards and Technology (NIST) to come up with guidelines for Internet-of-Things devices and would require any federal agency to only buy products from companies that met the new rules.

It gives a minimum list of considerations to be covered: secure code, identity management, patching and configuration management. It also requires the General Services Administration – the arm of the federal government that sources products and comms for federal agencies – to come up with guidelines that would require each agency to report and publish details of security vulnerabilities, and how they resolved them, and coordinate with other agencies.

Someone using a futuristic touchscreen IoT control panel

Don't be too shocked, but it looks as though these politicians have actually got their act together on IoT security


Industry has also got behind the effort - Symantec, Mozilla, BSA The Software Alliance (which includes Apple, Microsoft, IBM, Cloudflare, the CTIA and others) - and Congress has managed to keep its fingers out of things it knows nothing about by leaving the production of standards with the experts, using federal procurement to create a de facto industry standard.

It’s not perfect of course. Companies will still be able to produce products that don’t meet the new standards and so there will continue to be insecure products aimed at consumers at lower prices, pretty much guaranteeing that cybersecurity is going to continue to be a major problem for the internet of things. And the law hasn’t taken on the fundamental issue of how and when devices are updated to deal with emerging security holes.

But this new law does mean that for those looking for good, secure products, there will be a baseline standard across the industry.

Good first step

The legislation was passed unanimously by the Senate and is the biggest piece of legislation on this critical issue: the attaching of millions - billions - of devices to the internet; many of which have poor security.

Assuming the president signs it, it will start taking effect next year - the original timeline of NIST recommendations by September was blown through thanks to Congress doing what it does best - arguing itself into stasis.

But its passing is cause for celebration: a federal, nationwide approach is going to be more effective than a series of state laws (both California and Oregon have already passed IoT security bills).

It is not a full solution. As noted above, it doesn’t require companies or anyone outside the federal government to produce or buy products that meet the new standards. So the market will continue to pump out insecure IoT devices; which in turn will create huge opportunities for botnets and DDoS attacks and data theft and so on.

But this is an essential first step to getting secure IoT in place. Who knows, maybe Congress will surprise us all again and set aside resources to push and promote the importance of buying products that do meet the new standards. Well, we can dream. ®

Keep Reading

United States Congress stormed by violent followers of defeated president, Biden win confirmation halted

Updated Images of evacuated and invaded offices, Senate PCs still left switched on shared online

Stop asking for Amazon, Google and Microsoft cloud with 'no justification': US Library of Congress told to drop its 'brand-name'-tastic RFP

Oracle wins protest after agency failed to get it kicked out for not being a reseller

After Trump, Congress, Supreme Court Justice hit out at tech giants' legal immunity, now FCC boss wants to stick his oar in, too

Pai says he wants to 'clarify' Section 230's 26 words even though he probably can't do anything about it

FCC boss pleads with Congress: Please stop me from auctioning off this spectrum for billions of dollars

In unusual turn of events, Ajit Pai warns he’ll do his job unless stopped

As the US maybe gets serious about coronavirus-tracking apps, Congress wakes up to the privacy risks

Just what will happen to all that tasty location and contact data?

Half a billion here, half a billion there – pretty soon you're talking real money: US Congress earmarks $425m for 2020 election security

Just another, oh, $1.675bn to go to defend systems, it is estimated

Remember that backdoor in Juniper gear? Congress sure does – even if networking biz wishes it would all go away

US lawmakers demand answers in quest against Feds-only access points

Since the FCC won't act, Congress finally moves on robocalls by passing half-decent TRACED Act

Only took seven years of consumer hell to get this far

Biting the hand that feeds IT © 1998–2021