IoT Cybersecurity Act 2020

Introduction

While the cybersecurity headlines over the past few weeks here in the US have been focused on unfounded claims of voting machine hacking and turmoil at CISA, the top of the agency in charge of protecting the nation’s infrastructure from cyber attacks, there has been some good news on the IoT Security front.

Last week the US Senate unanimously approved the IoT Cybersecurity Improvement Act of 2020, passing the bill onto the President for his signature.  Why is this important?

Nobody is Asking for IoT Security

We are told regularly by some IoT device manufacturers that the reason they are not prioritizing investment in cybersecurity is because their customers don’t ask for it. Given tight margins, competitive markets and rapidly moving roadmaps, the end result is insecure products, botnets, and compromised networks.

The new bill takes an important step to address this issue. Under the bill, NIST is tasked with defining recommendations and best practices for building and deploying secure IoT devices. NIST has a robust program for defining IoT Standards and compliance

No IoT Security… Then No Business for You

What is important about this bill is Section 7a, “Prohibition on Procurement and Use” – where the Federal Government is required to only purchase IoT devices that conform to the new NIST IoT Security Standards. The way to get the device manufacturers’ to fix poor cybersecurity practices is to limit their access to markets for their products.

Expect to see other industries adopt these standards as part of their procurement processes as well. As we wrote this summer – vendors need to embrace IoT Security Compliance or Die a Slow Death.

While a good step, this change will still take some time to come into effect. And we look to NIST to release strong, objective standards.

It’s Time for Device Vulnerability Management

As we’ve said many times before, having conference phones or security cameras from top tier vendors that have 10 year-old unpatched network vulnerabilities is not acceptable – and the IoT Cybersecurity Improvement Act of 2020 is an important step forward to address the problem.

Additional reading:
https://www.theregister.com/2020/11/18/us_iot_security/
https://fcw.com/articles/2020/11/18/iot-cyber-bill-passes-senate.aspx
https://threatpost.com/iot-cybersecurity-improvement-act-passed/161396/
https://www.cyberscoop.com/congress-iot-cybersecurity-bill-contractors/