Congress introduces IoT security legislation

IoT and new security legislation

A new bill introduced in both the U.S. Senate and House would require IoT devices purchased by the government to use more advanced security than currently exists.

The bipartisan legislation, titled as the “Internet of Things (IoT) Cybersecurity Improvement Act of 2019,” sets minimum security standards for the devices procured by federal entities.

IoT Security Under Spotlight

IoT security issues include malicious botnets, weighing added functionality against added risk, and regulators’ need to anticipate problems instead of acting in a reactionary way.

Rather than be reactionary to a catastrophic loss of data, Congressional leaders hope to take active steps with this legislation.

Sen. Mark Warner (D-VA), a former tech entrepreneur and bill co-sponsor, said in a press release he was “concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security.”

Sen. Cory Gardner (R-CO), another bill co-sponsor, remarked that “[a]gencies like the National Institute of Standards and Technology (NIST)” would spearhead the establishment of IoT device security requirements for manufacturers selling to the government.

Ongoing Monitoring, Reporting from Government Agencies

The nine page bill calls not only for minimum requirements to be established for IoT device security, but also calls for the “reporting, coordinating, and receiving of information” regarding known vulnerabilities from government agencies.

Guidelines regarding the “use and management” of IoT devices are also to be published on a per-agency basis by the National Institute of Standards and Technology (NIST). NIST is called upon to work with industry researchers both public and private to design the standards in a timely manner.

The press release mentions a Senate Armed Services Committee hearing held last year in which Defense Intelligence Agency Director Lt. General Robert Ashley said IoT was one of the two “most important emerging cyber threats to our national security.”

In May 2018, the Departments of Commerce and Homeland Security published a joint report recommending greater security in the devices procured by government buyers.