The House of Representatives recently passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 (the Act). The Act has been moved to the Senate for consideration. The legislation sets minimum security standards for all IoT devices purchased by government agencies.
IoT refers to the myriad of physical devices that are connected to the internet, collecting and sharing data. They are used by both consumers and corporations.
Common examples include products used by consumers such as fitness trackers and home thermostats, to devices used by business and government that measure air quality and the operation of military components.
Despite the tasks that can be accomplished by IoT devices, they remain vulnerable to cyberattack. Currently, there is no national standard addressing cybersecurity for IoT devices. There have been several attempts in recent years to develop of a national IoT strategy. For example, in late 2017, a coalition of tech industry leaders released a report that put out a call for creation and implementation of a national strategy to invest, innovate and accelerate development and deployment of IoT, and stressed the need to enact legislation which would, inter alia, require IoT security measures in a “comprehensive manner.” Further, as far back as 2015, the FTC issued “concrete steps” businesses can take to enhance the privacy and security of IoT for consumers.
According to a statement issued by Rep. Robin Kelly (D-IL), sponsor of the Act in the House, “Securing the Internet of Things is a key vulnerability Congress must address. While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure in order to protect Americans’ personal data.” Senator Mark Warner (D-VA), who introduced the Senate version of the legislation back in 2017 stated that, “manufacturers today just don’t have the appropriate market incentives to properly secure the devices they make and sell – that’s why this legislation is so important.” Rep. Kelly’s statement noted that many IoT devices are shipped with factory-set passwords that are frequently unable to be updated or patched. IoT devices also can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack.
The Act requires the National Institute of Standards and Technology (NIST) to publish standards and guidelines on federal government agencies’ use of IoT devices. The Act states that the Office of Management and Budget is to review government policies to ensure they are in line with NIST guidelines. Federal agencies would be prohibited from procuring IoT devices or renewing contracts for such devices if it is determined that they do not comply with the security requirements.
New technologies and devices continuously emerge, promising a myriad of societal, lifestyle and workforce advancements and benefits including increased productivity, talent recruiting and management enhancements, enhanced monitoring and tracking of human and other assets, and improved wellness tools. While these advancements are undoubtedly valuable, the privacy and security risks should be considered and addressed prior to implementation or use, even without national IoT security legislation in place.