In the face of ever-increasing Internet of Things (IoT) security threats, the US government has started efforts to regulate IoT security with a new bill raised in the Senate. Should the bill become law, it will require IoT equipment sold to the government be patchable and meet specific security requirements.
This bill comes at an opportune time, as IoT devices are increasingly deployed within the US government, organizations, offices and households around the world, leading to an exponential growth in potential threats. The nature of these threats is illustrated by last year’s Mirai botnet attack, in which simple, unsecured devices such as IP cameras were turned into remotely controlled ‘bots’ to perform large-scale Distributed Denial of Service (DDoS) network attacks that managed to make much of the Internet unavailable for millions of people. These devices were easily taken over in part because their owners had not changed their passwords from the defaults hardcoded by the manufacturer.
Securing the IoT is a nontrivial challenge, not least because many emerging IoT devices are not powerful enough to use the same security frameworks we have for smartphones, desktops, and server computers and other resource-rich platforms that connect to the Internet.
Entitled the “Internet of Things Cybersecurity Improvement Act of 2017,” the new bill will apply to all IoT devices procured by government agencies. Because of the scale of government IoT purchases and the range of devices affected, it also provides direction for device makers to step up their security efforts.
Whether it is wearables, sensors, or other Internet-connected devices, the draft legislation requires devices sold to the government to be patchable, not depend on hard-coded passwords, use up-to-date industry-standard protocols, and not contain known security vulnerabilities. The bill also proposes guidelines for vulnerability disclosures for contractors providing connected devices to the government. Explicit in the bill is that the onus is on manufacturers to make their devices secure, patchable, and capable of staying up-to-date on security even as new hacks and exploits come out.
IoT security faces a double threat. Compared to traditional deployments of smartphone, desktop, or server systems, emerging IoT implementations often involve a much greater number of devices. At the same time, the security of some of the latest connected, ‘smart’ IoT devices is often weaker than more traditional computing platforms as they are designed for affordability and low power consumption and may not have the resources to run conventional security protocols.
In the coming months and years, the federal government’s demand for innovative IoT devices will only grow. This bill will help make sure that the government can establish and maintain requisite levels of security and data protection as ever-more IoT devices are deployed. And, many other governments around the world are waking up to the fact that connecting massive numbers of devices to the Internet poses a security risk that needs to be managed. Although, as ever, legislation is going to lag technical development. That is why it is time for both manufacturers and purchasers of IoT devices to carefully consider the security risks inherent to the products they are making and buying and take the necessary steps to ensure that these products offer reliable data protection and security both now and in the future.