The IoT Cybersecurity Improvement Act has been officially signed into law. The bipartisan legislation, sponsored by Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas, and Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., requires that any IoT device purchased with government money meet minimum security standards. 

Reportedly, the Act would address the supply chain risk to the federal government stemming from insecure IoT devices by establishing light-touch, minimum security requirements for procurement of connected devices by the government, and specifically:

  • Require the National Institute of Standards and Technology (NIST) to publish standards and guidelines on the use and management of IoT devices by the federal government, including minimum information security requirements for managing cybersecurity risks associated with IoT devices.
  • Direct the Office of Management and Budget (OMB) to review federal government information security policies and make any necessary changes to ensure they are consistent with NIST’s recommendations.
  • Require NIST and OMB to update IoT security standards, guidelines and policies at least every five years.
  • Prohibit the procurement or use by federal agencies of IoT devices that do not comply with these security requirements, subject to a waiver process for devices necessary for national security, needed for research or that are secured using alternative and effective methods.
  • Require NIST to publish guidelines for reporting security vulnerabilities relating to federal agency information systems, including IoT devices.
  • Direct OMB to develop and implement policies that are necessary to address security vulnerabilities relating to federal agency information systems, including IoT devices, consistent with NIST’s published guidelines.
  • Require contractors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.

How does the bill impact the cybersecurity landscape, and will the Act really improve the cyber infrastructure of the federal government? Here's what cyber executives had to say: 

Peter Monahan, Director, Global Solutions Architecture at WhiteHat Security, a San Jose, Calif.-based provider of application security: “The application layer of most IoT technologies is critical to its successful implementation, providing the ability to install, operate, manage and update the device as well as connect it to other integrated systems.  These applications are no less susceptible to security vulnerabilities than traditional web or mobile applications, and this new legislation puts forth a requirement for identifying and communicating such vulnerabilities. 

The majority of IoT applications are also designed to interact with any number of application programming interfaces (APIs), which may also be equally susceptible to security weaknesses, but which are frequently developed and distributed by external third parties.  This creates a significant challenge in summarizing the overall security posture of any particular device, depending upon its intended implementation by the Federal Government. 

Interestingly, the Act makes a provision to allow for the device to be “secured using alternative and effective methods” [Sec 7, subsection (a)(1)(C)]; the implication here is that the burden of identifying and reporting security vulnerabilities for IoT devices may in fact fall to the providers of these IoT devices, and that any connected APIs will need to be similarly tested in conjunction with external third parties involved in the creation of these layered services.”

Stefano De Blasi, Threat Researcher at Digital Shadows, a San Francisco-based provider of digital risk protection solutions: “The rapid, and ongoing, expansion in the Internet of Things (IoT) is undoubtedly making our lives more efficient and productive - and it will most likely continue to do so in the coming years thanks to the gradual deployment of 5G connectivity. However, connecting these devices to our private corporate networks expands the attack surface and potentially exposes sensitive data such as medical records, personally identifiable information, and workplace plans.

One of the main problems with IoT security at the present is that the rush to market often de-prioritizes security measures that need to be built into our devices. This issue has made many IoT devices low-hanging fruits for criminals interested in stealing sensitive data and accessing exposed networks. Additionally, criminals can exploit vulnerable products, by leveraging their computing power, and orchestrate massive IoT botnet campaigns to disrupt traffic on targeted services and to spread malware.

The IoT Cybersecurity Improvement Act certainly represents a welcomed step forward in ensuring that IoT devices are properly protected before they are connected to high-priority networks, such as those used in government facilities. Not only does this act demonstrates awareness of this crucial security issue, but it also sets an important precedent that can - and should - inspire other countries and organizations to follow.”

Terence Jackson, Chief Information Security Officer at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions: "While this is to be applauded, it appears that the bills initial focus is only on IoT devices procured and used by the Federal government. He adds, "While IoT devices used on government networks are important, legislation mandating the security of all IoT devices would have gone further in providing a more comprehensive approach to IoT device safety. This may in fact create increased sales for companies as they may introduce “Government” grade IoT devices that will cost more.  It will be interesting to see if companies improve the security of their consumer grade products as a result of this standard.”

Chris Hazelton, Director of Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions: “With the rise of 5G there will be an increasing number of devices that are always connected, and so will always be under threat of cybersecurity attack. The Hurd-Kelly bill will require IoT devices used by US government agencies to meet a security guidelines set by NIST. IoT devices are growing in diversity in terms of capabilities and price points, so there is pressure on manufacturers to rush devices to market, which means they often cut corners to maintain margins. 

Cybersecurity is often seen as a last minute and costly add on that manufacturers skimp on. Hundreds of millions of devices and network hardware have been delivered to market with simple default admin passwords. This creates a massive attack surface for any organization that deploys and relies on these connected devices. 

NIST has put in place guidelines for implementing mobile security for smartphones and tablets, and these guidelines have even been adopted broadly, including outside of government such as professional sports teams. Guidelines from NIST on IoT security will create helpful guidelines that service both government and commercial sectors to improve their cybersecurity strategies for all endpoints.”  

Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers: “The short answer is that the IoT Cybersecurity Improvement Act is good. IoT manufacturers have been building devices based on cost and speed to market with no though to security. The exposed attack surface of all these devices is crippling. There are some basic things that should be required, like an ability to patch devices, authentication, and secure coding practices.

Vendors should also be held accountable for the data they collect and store from all these devices, which is held in some cloud storage. This cloud storage of data is a high value target for attackers, so the security practice of the manufacturer themselves needs to also come into question. How is the manufacturer monitoring for intrusions in their own network?”