- Connected Devices
- Policy and Regulation
Legislators Propose New Bill to Protect IoT Devices
Protecting IoT devices from cyber attacks recently got a boost from a proposed bill in Congress, which sounds like a good thing—and probably is. But the suggested legislation is limited and is only one in a string of legislative moves by Congress to corral this thorny problem.
Four senators and two members of the House have introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 to reduce the risk of sloppy security found in many connected devices. The proposed bill would require minimum security standards for any IoT devices used by the federal government, and would base these standards on recommendations from the National Institute of Standards and Technology (NIST). The bill also has a review timeline that would mandate a NIST reappraisal every 5 years.
How Does It Compare to State Legislation?
While the bill only aims to protect devices used by government employees, it could help establish a new baseline for IoT device security that would likely be followed in the private sector. But the federal bill lacks some of the teeth that legislators in California agreed upon when they passed the first statewide IoT security law last September. The California law calls for device makers to get rid of default passwords that are easy to hack and requires users to generate their own new passwords before a device can connect and have access to internet or local resources. The California law is not perfect either, but at least it takes aim at one of the fundamental flaws in connected devices.
Why Is Protective Legislation Important?
To underscore the need for enhanced security measures for IoT devices, reports have surfaced of a new and more dangerous variant of the Mirai botnet, the alarming malware that first appeared in 2016 and caused some of the most troublesome distributed denial of service attacks on record. The new strain of Mirai, however, features the ability to attack not only consumer devices but aims for enterprise hardware as well, such as the wePresent WiPG-1000 wireless presentation system and LG SuperSign TVs.
The proposed bill is a step in the right direction. But threats to IoT devices keep changing and national laws alone can only go so far. As Chester Wisniewski, principal research scientist at Sophos, points out in a piece on IoT World Today, there is a need to correct the problem within the global supply chain. His idea is to pressure manufacturers in China, Malaysia, Taiwan, and elsewhere to produce more hardened IoT devices, and do this through tougher international trade treaties sanctioned by the World Trade Organization. Hard to disagree with this approach.
As I’ve written before, reducing threats to IoT devices requires an ongoing focus, and must be a priority for stakeholders throughout multiple value chains, including utilities, buildings, and enterprises. For more on this topic, see the Navigant Research reports Managing IoT Cybersecurity Threats in the Energy Cloud Ecosystem, or Cybersecurity Will Define Market Leaders in the Intelligent Buildings Market.