The U.S. Government Finally Gets Serious About IoT Security

New legislation will be a boon for devices all over the world

3 min read
Illustration of a government building, a lock and papers with check marks.
Illustration: J.D. King

The U.S. government is a larger customer of IoT products than you may realize. Veterans Affairs, for example, buys connected IV pumps for its hospitals, while the Environmental Protection Agency buys water sensors to measure pollution.

To protect all of those devices' potentially enticing data from hacks, the U.S. passed a well-designed cybersecurity law last December. The IoT Cybersecurity Improvement Act of 2020 has given the nation an excellent framework that will influence IoT security across the world.

Most IoT companies will not have the resources to develop separate lines of products—one line that conforms to the U.S. government's security requirements and one that does not. It's also hard to imagine why any other customers would settle for less-secure options, especially when many of the security requirements demanded by the law are broadly useful across all industries. So, while the law dictates only what IoT devices the U.S. government can buy, we'll see a ripple effect as companies use the same secure devices for both government and nongovernment IoT deployments.

So, what's to like about the law? Two things, as it turns out.

First, the law isn't focused on securing individual devices by dictating password requirements or encryption standards, both of which will need to evolve. Instead, it relies on the National Institute of Standards and Technology (NIST) to set many of the requirements that government agencies have to follow when purchasing connected devices. These policies see overall security as the sum of several parts, requiring specific prescriptions for device, cloud, and communication security.

NIST's initial rules include today's best practices, such as having an over-the-air device update program, unique IDs for each device so it can be identified on a network, and a way for authorized users to change features related to access and security. The recommendations also include logging the actions taken by an IoT device or its related app, and clearly communicating the specifics of a device's security to the user.

The other reason to like the law is that it remains adaptive and flexible by requiring NIST to assess the best practices for cybersecurity for connected devices every five years. Hacks, by their nature, are also adaptive and flexible, and so preventing them needs equally adaptable legislation. That means buying IoT devices that can receive over-the-air software updates, for example, to patch up any newly discovered exploits.

Unfortunately, the law isn't airtight. While it forbids government agencies from buying devices that don't comply with the security requirements, it does leave open a waiver process for devices needed for national security or research, as well as any devices secured using an effective alternative method.

I'm a little worried about the potential for government agencies to abuse the waiver process. As a nation, the United States tends to lump a lot of everyday activities under national security, meaning it's not hard for a government agency to make the case that they don't need to conform to NIST's requirements.

Also potentially worrisome is the law's loophole that exempts devices that are secured using “alternative and effective methods." The law doesn't clarify what agency evaluates the efficacy of these alternative methods or how that evaluation is made.

Despite these loopholes, I have to assume that manufacturers are waking up to the costs of having insecure devices in the field, and as such will embrace a set of rules that explain how to secure and update those devices. And besides, most IoT companies aren't going to risk losing the U.S. government as a potential customer by not conforming to NIST's standards. That could cost them even more.

This article appears in the April 2021 print issue as “Securing U.S. IoT."

The Conversation (0)

The Cellular Industry’s Clash Over the Movement to Remake Networks

The wireless industry is divided on Open RAN’s goal to make network components interoperable

13 min read
Photo: George Frey/AFP/Getty Images

We've all been told that 5G wireless is going to deliver amazing capabilities and services. But it won't come cheap. When all is said and done, 5G will cost almost US $1 trillion to deploy over the next half decade. That enormous expense will be borne mostly by network operators, companies like AT&T, China Mobile, Deutsche Telekom, Vodafone, and dozens more around the world that provide cellular service to their customers. Facing such an immense cost, these operators asked a very reasonable question: How can we make this cheaper and more flexible?

Their answer: Make it possible to mix and match network components from different companies, with the goal of fostering more competition and driving down prices. At the same time, they sparked a schism within the industry over how wireless networks should be built. Their opponents—and sometimes begrudging partners—are the handful of telecom-equipment vendors capable of providing the hardware the network operators have been buying and deploying for years.

Keep Reading ↓ Show less