Don't be too shocked, but it looks as though these politicians have actually got their act together on IoT security

Analysis In an all-too-rare sign of Congress doing its job, on Wednesday US lawmakers introduced a new law bill aimed at improving the security of the internet-of-things.

The legislation has been introduced into both the House and the Senate with politicians from both sides supporting it. What's more, the Internet of Things (IoT) Cybersecurity Improvement Act has the backing of industry and security experts and is well written.

In essence, the proposed law would require America's National Institute of Standards and Technology (NIST) to come up with guidelines for IoT devices and would require any federal agency to only buy products from companies that met those guidelines.

This puts the issue of what actual standards are introduced into the hands of the experts, and uses the power of federal procurement to create a de facto industry standard. Companies will still be able to create insecure products and market them to the general public, but they would be competing with existing products that can advertise their standard-readiness.

The law even provides realistic but firm deadlines on progress: NIST would be required to give a framework by September 30 and formal recommendations by March 31, 2020. The rules would have to be reviewed and revised every five years.

And in a further sign that Congressmen have actually been listening to people who know what they're talking about, the law gives a minimum list of considerations to be covered by NIST: secure development, identity management, patching and configuration management.

And the law would require the General Services Administration – the arm of the federal government that sources products and comms for federal agencies – to come up with guidelines that would require each agency to report and publish details of security vulnerabilities, and how they resolved them, and coordinate with other agencies.

Supporters

It's perhaps no wonder then that respected names have come out in favor of the new law.

Symantec, Mozilla, BSA The Software Alliance (which includes Apple, Microsoft, IBM et al), Cloudflare and the CTIA have also offered their official support, as well as security expert Bruce Schneier, who's last book Click Here to Kill Everybody dealt with the security problems caused by IoT devices.

"Empowering NIST to set standards for the development and management of these devices… will help secure the sensitive data held by the government and the private information shared within our homes," said Mozilla's VP of Global Policy, Trust, and Security, Alan Davidson.

"I applaud Senator Warner and his co-sponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government,” said Schneier.

The legislation is being introduced in the Senate by Mark Warner (D-VA), Cory Gardner (R-CO), Maggie Hassan (D-NH) and Steve Daines (R-MT); and in the House by Representatives Robin Kelly (D-IL) and Will Hurd (R-TX).

The law follows a similar law passed in California in October called "Security of connected devices" which will oblige any manufacturer of an internet-connected device in the state to give it a unique password from the start of 2020.

That law is a good first step in dealing with an increasingly problem of companies sticking internet connectivity into their devices without thinking through the security implications.

Wasted opportunity

But, as we noted at the time, it was also a wasted opportunity: unique passwords are a big problem but so is software that is not updated and left in the hands of consumers. Much more work can and should be done to figure out how best to prompt millions of consumers to keep their devices updated or it's just a matter of time before their IoT devices becomes a security issue.

Hopefully the NIST recommendations will take a deeper dive into how the United States can come up with a stronger and sustainable model of device security now and in the future.

As for the chances of the law passing, that is impossible to know. A similar bill was introduced by Senator Warner two years ago but it was a little too prescriptive and involved a range of federal agencies including Defense, Commerce and Homeland Security. It never got out the Senate.

This bill is better designed, treads on fewer toes and leaves things to NIST to figure out. It also has industry backing. In short, it is much more likely to pass – which would be a good thing for everyone. ®