New IoT Device Regulation Establishes Base Line for Security

Legislation seeks to use the spending power of the government, which, if the bill goes through, will only be able to acquire those IoT devices that meet the bill's requirements.

Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Maggie Hassan (D-NH) and Steve Daines (R-MT), as well as representatives Robin Kelly (D-IL) and Will Hurd (R-TX) have introduced the IoT Cybersecurity Improvement Act of 2019.

The bill is a revision of the one that Sen. Warner first introduced in 2017. At that time, it made little progress. The overall approach of the bill is to use the spending power of the government to acquire only those IoT devices that meet the bill's requirements.

The bill calls on the National Institute of Standards and Technology (NIST) to do all the hard technical work by making recommendations for this class of device that look at identity management, patching, and their configuration.

NIST already has a draft document published that addresses these issues and has gone through a process of public comment. The bill is not operating in a vacuum. The EU recently published an IoT standard that seems to be reasonable, but has no enforcement teeth to it. It may well be that the document serves as a basis for enforcement under the EU's GDPR regulations.

In fact, the developers of the standard -- the European Telecommunications Standards Institute (ETSI) -- have said that the effort is "to establish a security baseline for Internet-connected consumer products and provide a basis for future IoT certification schemes."

California has also taken a legislative attempt at IoT security, with their law going into effect January 1, 2020. Exactly how their effort will work with the federal bill (if passed) has not yet been determined.

Phil Neray, VP of Industrial Cybersecurity at CyberX, commented on the bill in a statement to SecurityNow.

"IoT device manufacturers have typically deprioritized security in favor of faster time-to-market and lower costs," he noted. "As a result, many IoT devices have much weaker security than other devices upon which we depend such as laptops and cell phones, lacking even the most basic security features like simple patching and removal of hard-coded administrative passwords. As a result, IoT devices present a particularly soft target for adversaries, who use them as convenient entry-points to compromise our smart buildings, smart cities, and smart factories. This bipartisan bill is an important step towards steering IoT manufacturers in the direction of stronger security for all devices that fuel our hyper-connected world." His comments are reflective of the consensus view of IoT security: it's poor and driven by economic incentives that have a total lack of oversight.

Between the new federal legislation, the EU standards, and the California law that situation may be changing. The legislations are designed to ensure that there will be economic consequences for a manufacturer's poor security efforts: their devices will not be bought.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.