SysDrive

Technology made simple for your home & business

Support Center
IoT Security

Overview of IoT Cybersecurity Improvement Act of 2020

Chris Richmond

The IoT Cybersecurity Improvement Act of 2020 (full text) recently passed the US Senate vote and is headed to the President’s desk for signature. What does it mean for consumers?

This past Tuesday, November 17, 2020, the United Stated Senate voted and passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2020. Many recent news stories mentioning government involvement in digital security usually revolve around encryption, privacy, and how the legislation being introduced is negative for the general public. So far however, this bill appears to be good for consumers, as it focuses on making sure that IoT devices will have a standard set of criteria to adhere to if they want to earn consumer confidence and trust.

Even if you personally are not involved with the massive surge in IoT, it is no secret there has been exponential growth in these integrated devices are seeing in our economy. One study by Strategy Analytics predicted almost 39 billion IoT devices in use worldwide by 2025. Another study by IDC is expecting to see over 41 billion, and those 41 billion devices are expected to produce more almost 80 zettabytes of data in that same year. With the absurd growth rate of these internet-connected devices, the relatively low barrier to entry for designing and making something in this category, and every digital company’s desire to have the “next big thing”, it is no surprise that it has been commonplace for design consideration, reliability, security, and privacy to take a back seat to the business goal of just pumping out more devices.

With this bill, the US government appears to be changing their tune, at least for this specific set of electronic devices.

So just what does this Act do?

This act asks the National Institute of Standards & Technology (NIST) come up with a set of guidelines that IoT devices would need to follow in order to be considered for purchase by any US government agency. The NIST is the group responsible for all sorts of safety and security guidelines in the United States, including user login & password management, flammability testing on mattresses, and even guidance on Fractography of Ceramics and Glasses as used in industrial machining applications.

Similar to the ISO (International Standards Organization) model of commonly accepted guidelines, this would not officially ban any device manufacturer from selling a device that doesn’t meet the standards, but it does set a de-facto standard that most reputable companies will dedicate resources to achieve. Even if you are not selling your product to the US government, being able to meet their criteria is a huge selling point to other possible buyers. Just as in other industries, once the US government requires a certain set of standard for their own purchase, organizations downstream in the supply chain will likely follow suit and require the same level of compliance from their own suppliers. After only a short while, if your organization does not meet an applicable NIST standard, you may find yourself not able to find anyone willing to purchase your new device, even if it is completely revolutionary.

Overarching principles requested the NIST provide guidance

  • Secure code
    • Does the company use secure coding practices?
    • Do they use a tool to scan their code for bugs and security holes?
    • Do they avoid any hard-coding of passwords or other sensitive items?
  • Identity management
    • Does the final end-user control all identify and security functions?
    • Does the device support the ability for each user to have their own
      user login to audit activities instead of using a single shared account to login?
  • Patch Management
    • Does the company have a way to allow updates to the device to fix issues?
    • Does the company publish the bugs or vulnerabilities that have been found in their system?
    • Does the company publish what was investigated, the found root-cause, and can you apply an update to fix the problem?

These are pretty standard guidelines used by major technology companies, and many are already on board supporting this bill to help standardize the IoT community:

  • Symantec
  • Mozilla
  • The Software Alliance, which includes companies such as
    • Apple
    • Cloudflare
    • IBM

When does this take effect?

The short answer is we do not have a specific date yet. What we do know so far (from govTrack.us):

Status history of the IoT Cybersecurity Improvement Act of 2020

Once signed by the President, the request will go to the NIST, who will then consider and write up the recommended guidelines. The bill does state that the NIST should publish their guidelines within 90 days of enactment. So at this point, we are waiting for final ratification by the President, then we should see initial guidelines released within 90 days.

Will this single legislation stop the seemingly never-ending release of new devices from manufacturers that may not have fully tested their device? No, but it just might slow it down just slightly.

Do you think this will be good for consumers? Is this a step in the right direction for security? Leave us your thoughts below below.

References

Tagged in:

Leave a Reply