What Impact Will the IoT Cybersecurity Improvement Act Have?

March 7, 2019 - 8 minutes read

Thanks to the Internet of Things (IoT), the world is becoming more connected than ever before. But security is having a tough time playing catch-up; IoT development is dramatically outpacing regulation.

Standards must be put in place. Will the IoT Cybersecurity Improvement Act push things in the right direction?

What’s the IoT Cybersecurity Improvement Act, and Why Does It Matter?

It wasn’t so long ago when only phones and computers were the only Internet-connected devices. But today, the list of web-connected devices has grown exponentially to include cars, security systems, cameras, and even toasters. While connectivity is great, many of these devices do so without much regard for security.

And government legislation is finally becoming wise to these flaws. The IoT Cybersecurity Improvement Act is a bill in Congress that could dramatically improve security requirements for government vendors. Essentially, it would do so by setting new purchasing requirements for government agencies. In turn, these agencies would have to include new clauses in their purchasing contracts which mandate better security standards for IoT devices.

Honestly, this should have happened sooner. Many recent IoT security breaches could have been prevented with better more robust regulations. Examples include the Mirai malware attack that shut down the Eastern seaboard’s Internet access and the Equifax breach which was caused by the company’s use of the word “admin” on scores of accounts.

As a result of the latter hack, the sensitive information of 143 million Americans was released. But attacks like Mirai also carry a heavy cost. Internet downtime can cost organizations upwards of $100,000 per hour. Consequences will only become more severe as IoT grows without proper security.

In 2018, there were already 23 billion Internet-connected devices worldwide. And while yesterday was the opportune time to enforce better regulations, today is the next best option—by 2025, there will be 75 billion devices connected to the Internet around the world.

So, What Does the IoT Cybersecurity Improvement Act Actually Do?

As previously mentioned, the IoT Cybersecurity Improvement Act would enforce a variety of clauses in government purchasing contracts. You can lump them into two categories:

Verifications

These are claims that the vendor would have to make about the device and includes the following conditions:

  • The device does not contain known security vulnerabilities.
  • It employs industry-standard security and communication technology.
  • The device can be securely accessed and updated by the vendor.
  • It does not contain any fixed or hard-coded credentials.

Behavioral Requirements

The second category revolves around security practices the vendor would have to complete:

  • The vendor must notify the government if they discover a vulnerability later on.
  • The vendor must also ensure security through device updates.
  • If there is a security need, the vendor must repair or replace the vulnerable devices.
  • The vendor must provide information on continuing security support, including a timeline of when this would end.

Why Does This Bill Matter?

At a surface level, the IoT Cybersecurity Improvement Act only improves security standards for the devices that vendors sell to the government. But this bill will likely have a more widespread effect than what’s readily apparent.

It Inspires More Legislation

This legislation could go down in history as a trailblazer by opening the door for more laws like it to gain traction. The Securing IoT Act, another bill in Congress’s pipeline, would create and enforce security standards for any device that emits radio frequency.

On September 28th, 2018, California passed a similar law which requires better security for IoT devices. It’s not as comprehensive as the IoT Cybersecurity Improvement Act, but it would apply to all devices made or sold in California. This means all of the IoT developers in San Francisco working in the consumer goods space would have to adhere to these new regulations.

California’s law would go into effect in 2020. And with the IoT Cybersecurity Improvement Act, it’s safe to say that the law will keep its eye on IoT developments going forward.

It Makes Security a Priority for Corporations

The US government realized that ensuring the security of all the devices they buy was a tall order—so they’ve placed the onus on the companies making them. It’s a great move that will undoubtedly make many corporations prioritize security, an aspect that usually takes a backseat in the development process.

Besides this, the stipulations of the IoT Cybersecurity Improvement Act will also most likely carry over to contracts between these corporations. So if they find a specific component in their device is the cause of vulnerability, they can trace it back to its manufacturer and hold them liable.

It Can Only Benefit Consumers

If passed, the bill would have no direct negative effect on consumers. Yes, as it stands, the IoT Cybersecurity Improvement Act technically only affects the devices that vendors sell to the government. So it could be possible that vendors will make a consumer version of their devices that don’t follow these guidelines.

But we’ll wait and see how well news of this sort plays out in the public eye. With mounting pressure on IoT developers to improve security, the last thing any of them would want is an article highlighting their corner-cutting around consumer devices.

And while this bill does not directly affect this category of IoT devices, future legislation spurred by it most certainly will.

A Better Standard for IoT Cybersecurity

As we noted earlier, the number of IoT devices is about to exponentially grow around the world. Bills like the IoT Cybersecurity Improvement Act allow security, something once viewed as a “nice to have” by many manufacturers, to become a necessity.

Which is the way it should have been all along—but hey, at least we’re getting there now. Think about it: Someday soon, we’ll all be able to wake up and cook breakfast without worrying that our fridge or toaster is watching us.

Are you ready for a more secure IoT? Because we sure are!

Tags: , , , , , , , , , , , , , ,