In 2016, attacks such as the Mirai botnet took down several popular websites, and in doing so, brought attention to the need for security for Internet of Things (IoT) devices. Since then, the U.S. Congress has made attempts to pass legislation around IoT security, including a lame attempt in 2017, when senators introduced a bill that would prevent the government from buying connected devices that had one of a small number of glaring security flaws. Once again, Congress is trying to pass legislation, but this time around, there’s more to like in the bill.
The Internet of Things Cybersecurity Improvement Act of 2019 isn’t trying to dictate specifically how to secure connected devices, as the 2017 bill did. Instead, it aims to build a framework that the government can use to establish a list of characteristics required for secure connected devices. Promisingly, the bill allocates the task of figuring out the requirements for a secure device to the technologically savvy National Institute of Standards and Technology (NIST). Then it’s up to the Office of Management and Budget (OMB) to direct federal agencies how they should adopt the NIST guidelines.
Some security experts worry that this two-step approach will lead to lower security standards for agencies, because even if NIST produces strong standards, OMB could tell some or all agencies to ignore parts or even all of the standards. But that isn’t necessarily a bad thing: The National Park Service probably doesn’t require the same security guidelines that the Department of Defense requires.
I’ve learned, in covering IoT for seven years, that there are two crucial rules that form the foundation for any good legislation. The first is an understanding that good security is all about thinking about security in the first place. This may sound obvious, but if you’re buying infusion pumps for a Veterans Affairs Hospital, you’re probably focused on buying the best infusion pump, not on securing it against cyberthreats. But with the IoT, security must be part of the basic functionality, and so security professionals should be deeply involved in the design and procurement of devices. The second rule for good security legislation is that government agencies must understand that in a connected world, good security is an ongoing process, not something you can set and forget.
That’s why it’s encouraging to see that the bill would require NIST to evaluate device security every five years and update the government’s standards. Sure, five years may be an eternity in the world of connected devices and technology exploits, but it’s a start.
I have no idea if the bill will even get out of committee, or how it will look if it does, but as it stands, I’d add a few more elements that could help round it out. First, I’d love for NIST to have a budget secured for creating the list of vulnerabilities and security elements, and then for managing vulnerability disclosures going forward.
I’d also like to see some remediation plan for all of the currently insecure devices the government has under its purview. The government uses computerized and connected devices in a huge number of places, including weaponry systems for missile interception and wildlife tracking in national parks. Obviously, a lack of security is more unnerving when missiles, rather than caribou, are involved, but the government should be thinking about how to secure what’s out there, not just what it buys after a cybersecurity bill takes effect.
This article appears in the May 2019 print issue as “IoT Security Goes to Washington.”