The Internet of Things is in need of standardized and better security measures, and the U.S. government recently took a step toward mandating this.
Dubbed the IoT Cybersecurity Improvement Act of 2017, the proposed bill would require that all devices purchased by the federal government meet certain minimum cybersecurity standards. The proposed security standardsput forth in the bill are a good start, but they should be viewed as bare minimum for IoT vendors.
The proposed legislation comes in the wake of crippling cyberattacks over the past year that exploited everyday connected devices such as security cameras, digital video records and baby monitors. Notably in May, a strain of ransomware called WannaCry spread around the world, walloping hundreds of thousands of targets, including public utilities, hospitals and large corporations. In August, Maersk announced that the effects of a cyberattack could wipe as much as $300 million off of its profits for the third quarter of this year.
To make improvements toward protecting against attacks like those, the IoT Cybersecurity Improvement Act establishes commonsense IoT security standards for government vendors, including:
- Prohibiting hardcoded passwords in IoT devices. Eliminating fixed passwords requires vendors to provide a mechanism to change passwords and requires that devices do not have common default passwords.
- Requiring industry-standard encryption for communicating to and from IoT devices, storage of collected data in IoT devices and the servers that they connect to, and secure means of updating the IoT devices.
- Certifying that there are no known vulnerabilities in the IoT devices. If vulnerabilities are discovered after purchase, then vendors must notify customers, patch the vulnerability and/or repair or replace the device.
- Government agencies using IoT devices must maintain an accurate inventory of the devices.
Additionally, the IoT Cybersecurity Improvement Act incorporates changes to the Computer Fraud and Abuse Act and Digital Millennium Copyright Act that add a narrow exception for security research. This change notes that the criminal and civil penalties of these existing statutes will not apply to research on types of devices purchased by the government that is carried out in good faith and in a fashion that meets government-set standards. Historically, the government and manufacturers have been known to lean on these existing laws in order to muzzle security work that they find embarrassing.
While the security mandates put forth in this bill are practices any IoT device vendor should be upholding, it will pave the way for higher security standards beyond IoT. As is the case with similar forms of legislation, there will also be a ripple effect that extends beyond the government sector and reaches all industries and the consumer. Ultimately, these proposed changes are a step forward in laying the foundation for a more secure and connected world.