David Alexander, digital trust expert at PA Consulting, discusses the IoT Cybersecurity Improvement Act which would require the development of security standards and guidelines for federal IoT devices.
The article notes that proponents of a proposed federal bill are seeking the development of security standards for all government-purchased Internet-connected devices -- a move that could spur improved security for IoT deployments across non-government entities as well.
The IoT Cybersecurity Improvement Act of 2019, co-sponsored by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas), would require the National Institute of Standards and Technology (NIST) to issue guidelines for the secure development, configuration and management of IoT devices. It would also require the federal government to comply with these NIST standards.
Perhaps more significantly, the bill would likely reach beyond the federal government if passed and made into law. Security experts predict that NIST standards would help elevate IoT security throughout private industry and during development of consumer products.
IoT: Speed to market offsets cybersecurity
Security leaders said there's a need for improved IoT security: Vendors work fast to bring IoT products to market, while enterprise leaders have moved just as quickly to capitalize on IoT deployments. In both cases, the desire for speed typically trumps security concerns, they said.
Now these security concerns are gaining new attention.
David says: "People have been saying for at least three years that there's a problem and we need to fix it."
The emergence of IoT security standards
Despite often treating security as an afterthought, the IoT community has already started to address security and data privacy issues. This recognition helped create an emerging collection of standards, best practices and regulations such as California's IoT device law known as SB-327. It is the first such state law in the United States, and the European Telecommunications Standards Institute has developed similar rules.
However, the IoT Cybersecurity Improvement Act could push IoT safety to the forefront for IoT device makers and end users. This is because of the clout that NIST has in setting standards and that the federal government has in purchase power. The federal bill was advanced out of the House Oversight and Reform Committee in June.
Security becoming an IoT priority
Meanwhile, private sector CISOs and CIOs could benefit if the bill is passed and NIST develops security standards that give them guidelines to adopt for their own IoT deployments.
David adds: "NIST standards could give them leverage in their discussions about budget, controls and selection of products," as NIST protocols in other areas have often become the basis for best practices in private sector organizations seeking to strengthen their own programs.
However, the bill's future is uncertain. A similar measure was introduced in 2017 and failed to move forward. On the other hand, the IoT Cybersecurity Improvement Act of 2019 does have bipartisan sponsors, security experts said gives them some hope that Congress will take favorable action on this issue.
Yet that hope comes with a caveat: lawmakers must pay attention to each other's IoT legislation to ensure they're all moving in the same direction. Also, they said NIST should work with industry to craft standards. This cooperative approach is one that NIST typically takes, and it would help ensure that all the various laws share common elements so that vendors understand what they must deliver to the market.
David continues: "These things cannot be contradictory. All these versions of IoT legislation need to be aligned because vendors want to make one version of their product. All the legislation has to be pointing in the same direction, otherwise it's not going to work."
Explore how to keep the Internet of Things secure