IoT Security Reaches Congress

IoT security now has some influential eyes on it. Earlier this year, U.S. Senators Steve Daines, Cory Gardner, Mark Warner and Ron Wyden introduced the Internet of Things Cybersecurity Improvement Act of 2017, which seeks to set a baseline of security standards for IoT-enabled devices before they can be sold to federal agencies. It’s built on three mandates:

• Default password capabilities must be eliminated.
• Devices with listed vulnerabilities known to the federal government cannot be sold unless vendors acquire an exemption or waiver.
• Devices must come equipped with an IoT patching mechanism.

Then, in October, Senators Edward Markey and Ted Lieu introduced the Cyber Shield Act of 2017, which, according to the legislation, would create a “process for identifying, establishing, reporting on, adopting, maintaining and promoting compliance with the voluntary cybersecurity and data security benchmarks” for devices that receive or transmit data.

If passed, the Cyber Shield Act would require the assembly of a Cyber Shield Advisory Committee, which would have one year to create a construct for labels designed to identify devices that meet security standards.

Whether either bill passes – or whether or not they would be effective – is up for debate. What is clear is that IoT security is important enough to attract Congress’ attention, which gives the topic a certain level of gravitas. That said, it is something those in the industry have understood and have been concerned about for quite some time.

IoT security – whether it comes in the form of legislation or voluntary industry best practices – must be addressed because it is not going away. We believe the following actions deserve immediate attention to help make IoT-enabled devices more secure:

• A greater push for responsibility from those building endpoints and IoT devices to make them more secure.
• Increased communication between operators, MVNOs, and device manufacturers to identify emerging IoT security issues and how to solve them.
• Ongoing conversations that explore best practices for dealing with an outage state, including input from all levels of the IoT ecosystem.
• Greater threat intelligence and attribution information that addresses the underlying reasons for nation states and criminal groups who are perpetrating attacks.
• Greater transparency in how organizations are dealing with vulnerabilities and lessons that can be learned from them.
• Creation of a set of IoT security standards with strong incentives for compliance.

Interested in how you can make your IoT application more secure?