The December 2022 issue of IEEE Spectrum is here!

Close bar

The U.S. Government Finally Gets Serious About IoT Security

New legislation will be a boon for devices all over the world

3 min read
Illustration of a government building, a lock and papers with check marks.
Illustration: J.D. King

The U.S. government is a larger customer of IoT products than you may realize. Veterans Affairs, for example, buys connected IV pumps for its hospitals, while the Environmental Protection Agency buys water sensors to measure pollution.

To protect all of those devices' potentially enticing data from hacks, the U.S. passed a well-designed cybersecurity law last December. The IoT Cybersecurity Improvement Act of 2020 has given the nation an excellent framework that will influence IoT security across the world.

Most IoT companies will not have the resources to develop separate lines of products—one line that conforms to the U.S. government's security requirements and one that does not. It's also hard to imagine why any other customers would settle for less-secure options, especially when many of the security requirements demanded by the law are broadly useful across all industries. So, while the law dictates only what IoT devices the U.S. government can buy, we'll see a ripple effect as companies use the same secure devices for both government and nongovernment IoT deployments.

So, what's to like about the law? Two things, as it turns out.

First, the law isn't focused on securing individual devices by dictating password requirements or encryption standards, both of which will need to evolve. Instead, it relies on the National Institute of Standards and Technology (NIST) to set many of the requirements that government agencies have to follow when purchasing connected devices. These policies see overall security as the sum of several parts, requiring specific prescriptions for device, cloud, and communication security.

NIST's initial rules include today's best practices, such as having an over-the-air device update program, unique IDs for each device so it can be identified on a network, and a way for authorized users to change features related to access and security. The recommendations also include logging the actions taken by an IoT device or its related app, and clearly communicating the specifics of a device's security to the user.

The other reason to like the law is that it remains adaptive and flexible by requiring NIST to assess the best practices for cybersecurity for connected devices every five years. Hacks, by their nature, are also adaptive and flexible, and so preventing them needs equally adaptable legislation. That means buying IoT devices that can receive over-the-air software updates, for example, to patch up any newly discovered exploits.

Unfortunately, the law isn't airtight. While it forbids government agencies from buying devices that don't comply with the security requirements, it does leave open a waiver process for devices needed for national security or research, as well as any devices secured using an effective alternative method.

I'm a little worried about the potential for government agencies to abuse the waiver process. As a nation, the United States tends to lump a lot of everyday activities under national security, meaning it's not hard for a government agency to make the case that they don't need to conform to NIST's requirements.

Also potentially worrisome is the law's loophole that exempts devices that are secured using “alternative and effective methods." The law doesn't clarify what agency evaluates the efficacy of these alternative methods or how that evaluation is made.

Despite these loopholes, I have to assume that manufacturers are waking up to the costs of having insecure devices in the field, and as such will embrace a set of rules that explain how to secure and update those devices. And besides, most IoT companies aren't going to risk losing the U.S. government as a potential customer by not conforming to NIST's standards. That could cost them even more.

This article appears in the April 2021 print issue as “Securing U.S. IoT."

The Conversation (1)
William Adams10 Mar, 2022
LS

ROTFLMAO

legislation wont fix anything.

You could ARCHITECT design and build an absolutely secure system but you sure cant legislate squat that means anything.

Trouble is that NSA wont let us do it. They prefer to be able to get into all computers rather than us being able to keep everybody else out of ours.

You can send your thanks to NSA when Putin cripples the USA with a cyber attack.

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
Horizontal
An illustration of a series
Carl De Torres
LightBlue

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less