IoT Cybersecurity Bill Passes U.S. Congress

A substantial new cybersecurity act is on its way to U.S. President Donald Trump’s desk. Once enacted, the IoT Cybersecurity Improvement Act would help consolidate security requirements and considerations for Internet of Things (IoT) devices, including secure development, identity management, patching, and configuration management, Forbes reported.

The act was developed with the advice of private industry companies such as Symantec and Mozilla, and its requirements will form a baseline that developers must follow if they want their products to be considered for use by the federal government—a shift that will doubtless have benefits for the private sector as well.

The bill was originally introduced four years ago, and has undergone a variety of changes, updates, and versions since then. However increased awareness of the threat posed by unsecured IoT devices played a role in getting the measure passed, said Senator Mark Warner (D-VA). According to Nokia’s Threat Intelligence Report 2020, IoT devices are responsible for almost a third of all mobile and Wi-Fi network infections.

The recent passage of my IoT Cybersecurity Improvement Act is an important blueprint for future cyber legislation. We need to ensure that IoT devices – increasingly part of home, enterprise, and government networks - are secure.https://t.co/cF2KV1qbmG

— Mark Warner (@MarkWarner) November 24, 2020

In addition, U.S. states such as California and Oregon passed their own IoT security bills, which added pressure for federal action.

The measure, which was passed in the U.S. Senate by unanimous consent on 17 November, would direct the U.S. Commerce Department’s National Institute of Standards and Technology (NIST) to establish baseline security requirements for IoT manufacturers and would require contractors to implement vulnerability disclosure policies. According to CyberScoop, “At its core, the idea is to protect federal agencies and use the purchasing power of the federal government to push manufacturers to adopting the same standards, whether they seek to contract with the federal government or not.”

Companies may choose not to comply with the requirements, so unsafe products may still be on the market (presumably at lower prices), but there will be a series of basic industry standards that consumers can refer to when comparing devices and security offerings, similar to EnergyStar ratings for appliances.

According to Forbes, “There is no such thing as total security, but we need to raise the entry barriers for those who wish to take advantage of the lack of security, and prevent access to certain devices from being, as is currently the case, child’s play.”

The bill reached President Trump’s desk on 24 November, and he can either sign it or it simply becomes law after 10 days, unless he decides to veto—which is unlikely, analysts note, given the measure’s bipartisan support.