The Internet of Things Cybersecurity Improvement Act will require device manufacturers to meet new security standards for government contracts. Carryover effect expected for the private sector. Credit: MF3d / Getty Images As the world moves toward interconnection of all electronic devices, the proverbial internet of things (IoT), device manufacturers prioritize speed to market and price over security. According to Nokia’s most recent threat intelligence report, IoT devices are responsible for almost a third of all mobile and Wi-Fi network infections.This ratio will likely grow dramatically as the number of IoT devices continues its exponential growth. A recent report from Fortinet warns that the rapid introduction of edge devices will create opportunities for more advanced threats, allowing sophisticated attackers and advanced malware to “discover even more valuable data and trends using new EATs [edge access Trojans] and perform invasive activities such as intercept requests off the local network to compromise additional systems or inject additional attack commands.”The Internet of Things (IoT) Cybersecurity Improvement Act, passed by the House in September and unanimously approved by the Senate last week, is a step toward warding off these threats and providing greater security in IoT devices. The act is headed to the desk of President Trump, who is expected to sign it into law.The goal of the act, in the words of Congresswoman Robin Kelly (D-IL), one of the original sponsors of the legislation along with Representative Will Hurd (R-TX), is to “ensure that the US government purchases secure devices and closes existing vulnerabilities to protect our national security and the personal information of American families.” It aims to create “standards and guidelines” for the federal government to follow with the hopes that the requirements also make their way into private sector manufacturing. NIST to publish IoT security standards within 90 daysThe bill expects these standards and guidelines to be developed “collaboratively within and among agencies in the executive branch, industry and academia” and defines the IoT according to the second draft of the National Institute for Standards and Technology (NIST) Interagency or Internal Report NISTIR 8259, which was first published in January 2020 and then revised in July. Consistent with that NIST Definition, IoT devices must:Have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional information technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood.Can function on their own and cannot only function when acting as a component of another device, such as a processor.Under the bill, the legislation requires the director of NIST to publish within 90 days of enactment standards for the federal government on the appropriate use and management of IoT devices by agencies, including minimum information security requirements for managing cybersecurity risks associated with such devices. These standards and guidelines have to be compatible with NIST’s existing efforts related to IoT devices and must incorporate identity management, patching and configuration management. Six months after NIST publishes its standards, the director of the office of management and budget (OMB) will, after consulting with the director of the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS), review the standards published by NIST. Any policy related to the act published by OMB will not apply to telecommunications or information systems that involve intelligence, military, or weapons systems. OMB will also be responsible for updating any policy or principles every time the NIST director reviews the IoT standards and guidelines, which the act says should be every five years.The act also requires the NIST director to consult with industry and academia to develop within 180 days guidelines to report, coordinate, publish, and receive information about security vulnerabilities in IoT devices. The NIST director will also be responsible for reporting such vulnerabilities and disseminating information about them.Finally, every two years after the bill’s enactment, the comptroller of the US will submit unclassified reports to the relevant House and Senate Committees to report on a waiver process set up in the act that allows OMB to issue waivers of the law’s provisions. One year after the Act is enforced, the comptroller general will brief the same committees about the broader IoT effort and submit the same report every two years.Legislation envisioned by Cyberspace Solarium CommissionThe successful passage of this legislation and the overwhelming support it garnered among lawmakers is due in no small part to the Cyberspace Solarium Commission, a bicameral, bipartisan public-private initiative designed to tackle some of the more intractable problems in digital security. In May, the Commission issued a white paper on “Cybersecurity Lessons Learned From the Pandemic,” which recommended that Congress pass an IoT security law.Arguing that the law should only be minimally prescriptive, as the IoT Cybersecurity Improvement Act is, the paper advocated that “law should focus on known challenges, like insecurity in Wi-Fi routers, and mandate that these devices have reasonable security measures, such as those outlined under the National Institute of Standards and Technology’s “Recommendations for IoT Device Manufacturers.”The original set of recommendations from the Commission did not specifically mention IoT devices. Still, the pandemic drove home the point that the vast swath of devices people use to work from home greatly expand the US digital attack surface, Robert Morgus, director of research and analysis for the Commission, said when introducing the IoT legislation recommendation in June. “We wanted to be minimally prescriptive when we talked about this, so we really went for real baseline requirement and recommendations, things like ensuring you have unique authentication built-in by default and asking that when an IoT device first gets connected to the network that the user has to enter a new authentication user ID and password and ensuring that devices are patchable.” Related content news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Hacker Groups Security Practices news Hackers book profit by scamming Booking.com customers Malicious elements are using Vidar infostealer to gain access to Booking.com’s management portal and defraud customers. By Gagandeep Kaur Dec 04, 2023 4 mins Cyberattacks opinion Proactive, not reactive: the path to ensuring operational resilience in cybersecurity The experience of the financial sector in dealing with threats is instructive to anyone in the cybersecurity space — there’s no substitute for getting out ahead of potential risks and problems. By Cameron Dicker Dec 04, 2023 6 mins Financial Services Industry Data and Information Security Security Practices feature 4 budget-savvy strategies for building an effective purple team Building a purple team is not only for organizations with a generous budget. From the shoestring one-person operation harnessing open-source power to the well-oiled machine of a comprehensive team, organizations of all sizes have a pathway to heighte By Maril Vernon Dec 04, 2023 14 mins Threat and Vulnerability Management IT Training Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe