WavebreakmediaMicro - Fotolia
Proponents of a proposed federal bill are seeking the development of security standards for all government-purchased Internet-connected devices -- a move that could spur improved security for IoT deployments across non-government entities as well.
The IoT Cybersecurity Improvement Act of 2019, co-sponsored by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas), would require the National Institute of Standards and Technology (NIST) to issue guidelines for the secure development, configuration and management of IoT devices. It would also require the federal government to comply with these NIST standards.
Perhaps more significantly, the bill would likely reach beyond the federal government if passed and made into law. Security experts predict that NIST standards would help elevate IoT security throughout private industry and during development of consumer products.
"Our bill establishes baseline cybersecurity standards for government purchased and operated IoT devices," Rep. Kelly said in an emailed response to questions about the proposed legislation. "Right now, we are focused on securing government IoT devices. I think the most relevant piece to executives would be the ability to use NIST's Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks as a model for internal standards."
She added, "Our goal remains securing government IoT devices. If these standards are helpful to the private sector then that's an additional benefit."
IoT: Speed to market offsets cybersecurity
Security leaders said there's a need for improved IoT security: Vendors work fast to bring IoT products to market, while enterprise leaders have moved just as quickly to capitalize on IoT deployments. In both cases, the desire for speed typically trumps security concerns, they said.
Now these security concerns are gaining new attention.
"People have been saying for at least three years that there's a problem and we need to fix it," says David Alexander, digital trust expert at PA Consulting.
Others agreed, adding that they think NIST is the right entity to take the lead on establishing security standards.
"We need government intervention," said Balakrishnan Dasarathy, collegiate professor and program chair for Information Assurance at the Graduate School at the University of Maryland University College.
Robin Kelly U.S. Representative (D-Ill.)
Dasarathy said the ripple effect from federal action on IoT legislation would improve product security for consumers and private industry alike. It would also give appropriate IoT security guidance to chief information security officers (CISOs) and other organizational executives.
"Right now many CISOs struggle to determine adequate security," Dasarathy said.
Weak IoT security has had significant consequences. The Mirai botnets, for example, exploited vulnerabilities in networked devices and led to a massive distributed denial of service attack in 2016.
The skyrocketing number of connected devices also increases the amount of infrastructure to protect. Gartner, the technology research and advisory firm, predicted that 14.2 billion connected things will be used this year, a figure that will hit 25 billion by 2021. That growth means CISOs will be responsible for more than three times as many endpoints in 2023 than they were in 2018.
The emergence of IoT security standards
Despite often treating security as an afterthought, the IoT community -- including vendors, executives engaged in IoT initiatives and regulatory bodies -- has already started to address security and data privacy issues. This recognition helped create an emerging collection of standards, best practices and regulations such as California's IoT device law known as SB-327. –It is the first such state law in the United States, and the European Telecommunications Standards Institute has developed similar rules.
However, the IoT Cybersecurity Improvement Act could push IoT safety to the forefront for IoT device makers and end users. This is because of the clout that NIST has in setting standards and that the federal government has in purchase power. The federal bill was advanced out of the House Oversight and Reform Committee in June.
"It will set a direction that will make it easy for others to follow," said Gus Hunt, managing director and cyber strategist for Accenture Federal Services.
If the bill passes, IoT device makers that want to sell to the federal government would have to design and manufacture products according to NIST standards. To avoid designing a second-tier product for the nongovernment market, those makers would bring those same government devices to the broader market, Hunt explained.
Even if the IoT Cybersecurity Improvement Act doesn't pass, Hunt said vendors now recognize that buyers want better security features in their products.
"Many manufacturers realize that they have to find a way [to make sure] that whatever they sell is safe, secure and doesn't place people at higher risk simply by buying the device," he added.
Security becoming an IoT priority
Meanwhile, private sector CISOs and CIOs could benefit if the bill is passed and NIST develops security standards that give them guidelines to adopt for their own IoT deployments.
"NIST standards could give them leverage in their discussions about budget, controls and selection of products," Alexander said, as NIST protocols in other areas have often become the basis for best practices in private sector organizations seeking to strengthen their own programs.
However, the bill's future is uncertain. A similar measure was introduced in 2017 and failed to move forward. On the other hand, the IoT Cybersecurity Improvement Act of 2019 does have bipartisan sponsors -- which security experts said gives them some hope that Congress will take favorable action on this issue.
Yet that hope comes with a caveat: They said lawmakers -- in Congress and elsewhere -- must pay attention to each other's IoT legislation to ensure they're all moving in the same direction.
Also, they said NIST should work with industry to craft standards. This cooperative approach is one that NIST typically takes, and it would help ensure that all the various laws share common elements so that vendors understand what they must deliver to the market.
"These things cannot be contradictory. All these versions of [IoT] legislation need to be aligned because vendors want to make one version of their product. All the legislation has to be pointing in the same direction, otherwise it's not going to work," Alexander said.