A bipartisan group of congressional members recently introduced a bill in the House of Representatives aimed at establishing minimum information security standards for IoT devices used by government agencies. The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 (H.R. 1668) was sponsored by Rep. Robin Kelly (D-IL) and co-sponsored by an equal number of Democrat and Republican representative. The official purpose of the bill is “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes.”
H.R. 1668 is actually a revised version of an earlier bill introduced into the Senate in 2017 by another bipartisan collected headed by Senator Mark Warner (D-VA). The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 (S. 1691) was being reviewed by the Committee on Homeland Security and Governmental Affairs before it became stalled, and the same happened to another version also put forward by Rep. Kelly. The newest iteration aims to overcome the earlier hurdles by allocating the responsibility to the National Institute of Standards and Technology (NIST) for establishing the final guidelines.
Future Baseline for IIoT
The idea behind each version of the bill has been to induce manufacturers who rely on government contracts to enforce information security best practices for their IoT products. This self-regulation is expected to stabilize cybersecurity standards across the industrial IoT (IIoT) manufacturing sector. The current form of the IoT Cybersecurity Act specifically is attempting to take advantage of a concentrated effort by NIST to build the foundations for this baseline, which ostensibly will minimize the amount of bureaucratic deliberation.
27 Billion IoT Devices
There are expected to be nearly 27 billion IoT-capable devices by the end of 2019, which is expected to grow to over 75 billion by 2025. Part of the reason for this exponential proliferation is that so many popular products now can feature IoT capability. Chances are that sitting in your hand, pocket, or desk is a tool that can access most smart devices on the market right now, and that your next upgrade will connect to even more in the future. As data-capturing sensors become more of a commonplace reality, the IoT ecosystem will take over an even greater percentage of our digital real estate.
A New Design
The IoT Cybersecurity Improvement Act takes the above expectation into account along with the historically poor approach of IoT device manufacturers to ensuring long-term network security. The bill would essentially force the hand of existing and future producers into implementing their own information security standards within their products. Similar to how life science industries self-regulate to prevent FDA penalization, the bill would create incentive for IoT device makers to begin policing themselves and establish best practices for their sector.
Do Not Rely on Current Security Standards for IoT
This bill will hopefully generate a greater impetus for smart device manufacturers to enforce security standards for their products. However, it will still be a long time before the industry aligns itself around these guidelines and several of the billions of IoT machines out there now are incompatible with future upgrades.
Read our post on the network security challenges of IoT to learn more about the threat that comes with smart devices and how you can protect yourself against it.