IoT legislation will force government vendors to build in security

If passed, the Internet of Things Cybersecurity Improvement Act would help improve security from vendors seeking government contracts, but a lot of consumer-grade IoT products would be unaffected.

Four U.S. lawmakers hope to give Internet of Things (IoT) security a nudge forward with legislation that would require devices purchased by government agencies to meet basic security requirements.

The Internet of Things Cybersecurity Improvement Act, introduced by a bipartisan group of senators Aug. 1, aims to set up the U.S. government as an example of good IoT hygiene while discouraging lax security practices across the industry, the bill's sponsors say. The bill would require vendors that supply government agencies with IoT products to ensure that devices are patchable and free from known security vulnerabilities. The bill would also prohibit IoT vendors from using unchangeable, hard-coded passwords in devices they sell to agencies.

IoT vendors and security experts gave the legislation a mixed grade, with critics saying while it could lead to better security for the IoT in the government, it will have limited impact in the enterprise market. Others applauded the bill.

If passed, the bill may create "little change across the whole IoT industry and a lot of change with just a handful of vendors," says Kilton Hopkins, IoT program director at Northeastern University's Silicon Valley campus.

IoT products sold to the government aren’t likely to be the same as those sold to security-challenged consumer products, explains Hopkins, also co-founder of iotracks, an IoT developer tool company. "While there will be an incentive for IoT product manufacturers to make their product compliant with the legislation, we have to ask ourselves whether the U.S. government is a significant customer for those [consumer-focused] manufacturers," he adds.

The bill’s sponsors say new security standards for the IoT are necessary. They introduced the legislation following a handful of major IoT-based attacks, one using compromised devices in a botnet to attack DNS service provider Dyn in October 2016.

The legislation would "establish thorough, yet flexible, guidelines" for government procurement of IoT devices, said Sen. Mark Warner, a Virginia Democrat and primary sponsor of the bill, in a statement. "My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products."

Read the latest on HPE's server security strategy by Moor Insights.

The legislation might not have an immediate impact on government security, however, because many federal agencies have been slow to embrace the IoT.

Still, a handful of agencies, including the Department of Defense, have been using IoT-like technologies for years. The DoD has used automated sensors for decades, and the military has deployed IoT devices in so-called green buildings, says a DoD spokesman. The agency also uses the IoT for monitoring environmental conditions and securing facilities.

Some lawmakers and cybersecurity advocates have long argued that the U.S. government can use procurement rules to encourage IT vendors to make more secure products. The impact of such security regulations is unclear.

The bill is a good first step toward better IoT security, some experts say. A set of IoT security standards can filter down to state and local governments, meaning they won't need to "reinvent the wheel," says Craig Spiezle, chairman emeritus and founder of the Online Trust Alliance, a nonprofit focused on security best practices.

The bill could also drive forward larger IoT security improvements, Spiezle adds: "Consumers can benefit from this legislation if manufacturers add these minimum requirements to their devices out of the gate."

The legislation could improve IoT security for manufacturers that have built insecure backdoor access into their products, adds Trent Ridgway, chief technology officer at EzCloud, an IT and IoT services vendor. But hard-coded or easily guessed default passwords on IoT devices "have largely been abandoned due to the numerous and well-documented history of lazy [or] naive system administrators not changing known industry-standard passwords," he says.

However, legislation often doesn't work as intended, Ridgway adds. "The IoT is an ever-changing enigma. Trying to legislate what it can and can't do is like trying to capture lightening bugs in a field--you're getting only a very small part of the whole pie," he says.

The bill should revisit the regulations every year, not every five years as written, Ridgway recommends. It also doesn't include a timeline for federal agencies to change their IoT procurement rules. It lacks "consequences when targets and timelines are missed," he points out.

With its focus on government deployments, the bill could improve overall IoT security "perhaps just a little bit," adds Northeastern University's Hopkins. "If every manufacturer took the high road and produced IoT devices that had randomized passwords that could also be changed by the user, and ensured that their devices were always patchable, then we would have substantial IoT security improvement," he says.

But the bill applies only to IoT devices sold to government agencies, meaning "it's not likely to improve the DDoS attack threat across the large body of consumer IoT devices," Hopkins adds.

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.