The House of Representatives has unanimously passed a bipartisan bill setting minimum security requirements for Internet of Things devices connected to federal networks. The next step: get the Senate to vote on its version of the bill.
The Internet of Things Cybersecurity Improvement Act would require the National Institute of Standards and Technology to create standards and guidelines for how federal agencies should use and manage IoT purchased by the government. The list includes computers, mobile devices, and pretty much anything that can be connected to the Internet.
“IoT devices are more and more common and fulfill greater and greater functions in our government,” said Rep. Robin Kelly (D-Ill.), one of the backers of the bill. “By establishing some baseline standards for the security of these devices, we will make our country and the data of American citizens more secure.”
There are 10 billion IoT already in use, and Gartner estimates more than 25 billion devices online by 2021. IoT is well-entrenched in the federal government, with different agencies heavily relying on the massive amount of data collected in real-time by these devices. The State Department, for example, has sensors in all its embassies around the world collecting air quality data. Internet-connected devices make a lot of promises about all the things that can be done, but they are also highly vulnerable to attack. Despite the growing threat against these devices, there currently are no national standards for IoT security.
“Currently there are no national standards to ensure the security of these connected devices,” Rep. Carolyn Maloney (D-NY), chairperson of the House OVersight and Reform Committee, said during the floor vote. “Protecting our nation from cyber threats is an ongoing, interactive process that requires established, baseline standards and constant vigilance.”
The minimum security standards are for devices purchased and used by the federal government. Theoretically, manufacturers can have two versions of the device—one that meets (or exceeds) the minimum security standards as defined by NIST that the government can buy, and one that doesn’t have to worry about the government requirements and is available to anyone. In reality, it is more likely that IoT vendors will adopt the same requirements across the board instead of trying to support two versions of their products. The hope is that the minimum security requirements will become default industry standard that would also apply to commercial devices, said Sen. Mark Warner (D-Va), who introduced the Senate version of the bill.
“Frankly, manufacturers today just don’t have the appropriate market incentives to properly secure the devices they make and sell.” Warner said in a statement.
The legislation requires the Office of Management and Budget to review existing federal government information security policies and develop guidance so that agencies can meet NIST’s recommendations. NIST and OMB would have to update IoT security standards, guidelines, and policies at least every five years.
IoT manufacturers will also have to develop basic patching and remediation capabilities for their devices so that vulnerabilities can be fixed. Vendors would have to notify agencies of any vulnerabilities that could leave the government vulnerable to attack. The Department of Homeland Security would need to publish guidance on coordinated vulnerability disclosures for contractors and vendors.
The ability to fix vulnerabilities when they are found is key for IoT security. While there are higher-end devices which can be updated (but not always easily), a large number of IoT do not receive security updates at all. Most of them don’t even have a mechanism that will allow for updates. There should be a way for agencies to install updates, and there has to be a way for vendors to receive vulnerability disclosure reports, said Rep. Will Hurd (R-Texas), another backer of the bill. This law would help stop insecure devices from entering the federal supply chain at all, he said.
“If you’re going to introduce a widget into the digital infrastructure of the federal government and it has a known vulnerability, you either have to patch it or have some way to address it,” said Hurd.
Road to Regulation
Reps. Hurd and Kelly introduced this bill in House Oversight Committee’s IT subcommittee back in March 2019. It passed full committee in June, and then stayed in limbo until this month. The Senate Homeland Security and Governmental Affairs Committee passed the Senate version of the bill in June 2019. The Senate has not yet picked up this bill for a floor vote, and it isn’t clear when that may happen.
The United Kingdom has been working on similar regulations, but for consumers. Internet-connected devices will have a label indicating how much they meet security standards, giving consumers information about how secure the IoT is before purchase. The minimum requirements are: unique default passwords; the length of time the device will receive security updates is specified; and a method of contact for reporting vulnerabilities in the product. Once the program becomes mandatory, companies will not be allowed to sell their products without the labels. It isn’t clear how the UK will enforce that when so many of these devices are manufactured in and shipped from other countries.
California Senate Bill 327 attempted to fill the void that existed because there wasn’t a national standard for IoT security. SB-327, which was proposed in 2018 and became law in January, required “reasonable security feature or features that are appropriate to the nature and function of the device.”
“The Internet of Things is showing just how innovative humans can be, but like most innovations, IoT has the potential to be misused and abused by bad actors,” said Hurd. “If our security practices for using the Internet of Things does not evolve as our use of it grows, then we will find out how innovative criminals, hackers and hostile foreign governments can be.”