Maksim Kabakou - stock.adobe.com
Understand the IoT Cybersecurity Improvement Act, now law
Federal action through the IoT Cybersecurity Improvement law aims to create more security in the U.S. government's IoT infrastructure, but it could boost security across all sectors.
IoT device security challenges have drawn federal scrutiny, with congressional lawmakers recently taking bipartisan action to have device makers include more product security features.
Their move: passage of the IoT Cybersecurity Improvement Act officially signed into law on Dec. 4.
The law ensures the government purchases only secure devices and closes existing vulnerabilities, said Congresswoman Robin Kelly, an Illinois Democrat and co-chair of the House Tech Accountability Caucus who introduced the bill in the House. The legislation mostly affects U.S. government applications, vendor partners, equipment manufacturers and stakeholders that deal with the federal government.
Congress' objective is to make the U.S. government's IoT infrastructure more secure, but the law could have ripple effects that extend well beyond government, with private industry and consumers likely benefiting from new connected device standards.
"The bill will uplift IoT security considerations, create a more accountable perspective for vendors and a more transparent audit trail for device and system security. There is a very high chance, almost inevitable, for adjacency effects to cross over to the consumer value chain, transforming consumer IoT devices along with other IoT markets along the process, uplifting the entire connected landscape," said Dimitrios Pavlakis, an industry analyst with ABI Research.
Details of the law
The U.S. House unanimously approved the IoT Cybersecurity Improvement Act in September, and the U.S. Senate unanimously passed it on Nov. 17, 2020;. The law establishes baseline security standards for government-purchased, internet-connected devices.
The law itself does not set the security standards, but rather instructs the National Institute of Standards and Technology (NIST) to tackle the task. It also lays out several other key actions for government agencies to take, all of which are designed to boost device security throughout the device lifecycle.
"Ultimately, the government wants to put together a strategy on how to address IoT devices and what those specific security baseline requirements should be," said Donald Schleede, information security officer at Digi International.
To start, the law requires NIST to develop minimum security standards for connected devices that the federal government purchases or uses. It also has the agency develop standards and guidelines for the use and management of all IoT devices that the government owns or uses.
It further requires NIST to address secure development, identity management, patching and configuration management as part of its security standards. It prohibits federal entities from buying or using any IoT device determined to be noncompliant with the NIST standards.
The legislation requires the Department of Homeland Security to review such measures every five years to determine any necessary revisions. This ensures the federal requirements for connected devices remain current as technology, standards and attack scenarios evolve.
The federal law provides more-specific IoT security standards for connected devices than past industry-led attempts and legislative measures have, Schleede said. The new law aims to provide a level of specificity that California's 2018 IoT security law lacks, which went into effect in 2020.
Moreover, experts said they expect NIST to develop more comprehensive standards that are more applicable to industry and commercial use than past efforts.
Existing legislation, such as the California SB-327 and Oregon HB2395 laws, focus on consumer electronics, not government agencies. They implement only baseline technical controls, such as no default passwords, and are primarily a response to the Mirai botnet, said Rob Wood, practice vice president of hardware and embedded security services at the security consultancy NCC Group.
"It remains to be seen what technical requirements NIST will implement in response to this [law]; hopefully, they go much farther," Wood said.
Standards could affect IoT security beyond government
Although the actual standards have not yet been determined, security leaders said they expect action from NIST to have an important influence on IoT beyond the federal government. NIST is a highly influential entity with standards, guidance documents and recommendations that private industry and nongovernmental organizations frequently adopt.
NIST standards for connected devices generate the same amount of interest among security leaders, IoT experts and enterprise executives. The IoT Cybersecurity Improvement law -- with its required new NIST standards for device-makers -- pushes vendors to make more secure devices available for all customers, not just the federal government.
"Using its buying power, the federal government can incentivize the broader IoT ecosystem to ensure robust cybersecurity of its devices and the responsible, coordinated disclosure of vulnerability information," said Trevor Rudolph, vice president of global digital policy and regulation at Schneider Electric.
IoT security challenges on the rise
The law gives NIST 90 days after enactment to develop and publish its standards and guidelines for connected devices. NIST has worked on standards for some time now, and experts said they expect the organization should have no problem meeting that deadline.
NIST's ongoing work indicates the importance of cybersecurity to government officials and enterprise leaders alike, who all face challenges to secure burgeoning connective ecosystems.
ABI Research predicted IoT connections will exceed 23 billion across all major IoT markets by 2026 and face incessant and constantly evolving cyberthreats. These threats force implementers and IoT vendors to embrace new digital security options and drive investments in secure device authentication services, with that market expected to reach $8.4 billion in revenues by 2026.
Meanwhile, Nokia's "2020 Threat Intelligence Report" found that IoT was responsible for 32.72% of all infections observed in mobile networks, up from 16.17% in 2019.
"In 2020, we saw a 100% increase in compromised IoT devices. If the 2020 trends continue, 2021 will see a significant increase in attacks on IoT devices," said Kevin McNamee, the former head of the Threat Intelligence Lab and, now, a security product manager at Nokia.
The most vulnerable devices are ones visible on the internet, and attackers can compromise these device vulnerabilities in mere minutes, McNamee said.
Devices include home routers, residential devices visible via the home router, mobile IoT devices with public IP addresses and any critical infrastructure with public IP addresses. Any IoT devices with known vulnerabilities that attackers compromise with automated tools add them to the expanding IoT botnet community.
Effects on IoT ecosystems remain unclear
The IoT Cybersecurity Improvement law won't be able to counteract all those threats; the question now is whether it could help at all and, if so, by how much.
"This is a major first step for IoT security in the U.S., but make no mistake, we still have plenty of room to improve. IoT device manufacturers -- whether they service the government or private sector -- need to understand disclosure processes, [and] patch development and deployment," said Curtis Simpson, chief information security officer at the security solutions company Armis.
He said he supports additional action: "This [legislation] should very much be seen as a positive step in the right direction, but it's truly that -- a step -- with the next being thorough legislation for all companies, public or private. And let's not forget about consumers with an ever-growing number of these devices in their home."
Other experts had a similar take.
"It remains to be seen whether this [law] will make a real difference," Rudolph said. "Of note, the [law] does not wade into nongovernment, commercial transactions and sales of IoT devices, and it does not have international applicability. Whether the broader commercial IoT ecosystem decides to adopt the practices recommended by NIST is yet to be determined.
"On the international front, manufacturers are dealing with numerous and, sometimes, inconsistent IoT cybersecurity requirements. To truly advance the cybersecurity of IoT devices, manufacturers need a common set of interoperable rules so they can build devices once and sell throughout the global marketplace," Rudolph said.