In response to widespread concern regarding the vulnerability of IoT devices, earlier this month the US Senate introduced the Internet of Things Cybersecurity Improvement Act to set security standards for devices installed in US government networks.
The prospective law aims to ensure that devices are protected and not vulnerable to attack and also that vendor products are both patchable and conform to industry standards. It would also prohibit vendors from supplying devices that have unchangeable passwords. In addition, the bill also directs the Office of Management and Budget to develop alternative security requirements for devices with limited data processing and software functionality and requires each executive agency to inventory all internet-connected devices in use.
If passed, the bill would also require the government to issue guidelines calling for each agency to include certain clauses in future contracts when IoT devices are being acquired. This includes using modern and non-deprecated protocols, as well as requirements for updating, replacing or removing, in a timely fashion, vulnerabilities in software and firmware components in a properly authenticated and secure manner. The provisions and guidance in the bill for leveraging existing security standards will be useful for building on the success of successful existing implementations.
The Internet of Things Cybersecurity Improvement Act is a much-needed upgrade to a few critical laws, including the 20-year old Digital Millennium Copyright Act (DMCA). The new legislation seems to be generally viewed as a positive step because it would not significantly impact manufacturers beyond the burdens of shipping a useable product and because security researchers would have increased legal protection enabling them to hack devices to track down exploits.
IoT Adoption in the US Government
The US government has relied on internet connected devices for years and after the increasing number of attacks, it’s no surprise that it is now making moves to secure the many “things” it purchases and connects.
In a study conducted last year by the Center for Data Innovation, it was shown that the US government uses IoT devices on a wide basis to improve facilities and reduce costs. For example, in the smart buildings sector, thousands of low-cost connected sensors are installed at 80 high-energy-use government buildings. The Government Services Administration uses telematics to track, locate and monitor the emissions of more than 200,000 vehicles to ensure compliance with government mandates for reductions in greenhouse gas emissions by 30% by 2025. Other federal agencies such as the Department of Defense (DoD) use RFID tags and sensors from connected devices to track and manage military supplies, such as clothing, construction materials and medical supplies. These devices have enabled the Defense Logistics Agency and the US Transportation Command to monitor 3.5 billion transactions per month from 67 DoD logistics systems and 250 commercial transportation carriers.
For industries like manufacturing, which will increasingly rely on Digital Certificates and Public Key Infrastructure (PKI), such as GlobalSign’s offering that enables secure device identity, the proposed law is a step in the right direction. Experts have warned for years that connected devices could be exposed without a way to patch their software or replace shared hard-coded passwords set at factories – increasingly a concern since hackers are known for exploiting basic security holes, especially in the case of sensors. By leveraging existing best practices stronger authentication approaches like per-device unique Digital Certificates will be more widely adopted. This prospective law could be a tipping point for manufacturers to collaborate more closely with the cybersecurity industry to ensure that devices in the exploding IoT market are as secure as possible.
Our Thoughts on the Bill
As GlobalSign continues to expand its offerings for identity and security solutions for some of the world’s largest organizations, we believe the proposed law demonstrates the government is taking the necessary steps to ensure the security of connected devices, and that stronger security solutions will be put in place to limit attacks. Our company is uniquely positioned to issue Digital Certificates at high volume and massive scale to IoT devices – as many as 3,000 per second - delivering strong device identities to enable the foundations of IoT security; authentication, encryption and device integrity. We are working closely with manufacturers of some of these devices, which in some cases could be part of government networks.
We will be monitoring developments around this proposed law and how it will shape the next generation of IoT devices and the industries sprouting up around them. Legislation such as this cybersecurity improvement act will also have market consequences for how organizations do or do not approach IoT security. If passed, the effectiveness of this act will be determined in the following months as the first phases of the program are enacted.