The Internet of Things (IoT) Cybersecurity Improvement Act was signed into law in December 2020 to guide the acquisition of smart devices for the United States federal government, but it impacts much more than just government equipment. These devices depend upon application programming interfaces (APIs) to connect to other applications and items, each of which can introduce additional vulnerabilities.
Cybersecurity continues to evolve at breakneck speed in our increasingly connected world, and is driving the need for standards and guidance to keep our connectivity secure. The IoT Cybersecurity Improvement Act is one example of such legislation.
This guide will explain everything you need to know about the Act, including what it is, what it is intended to do, and what it means for the future of IoT.
Digging Into the IoT Cybersecurity Improvement Act
In the hypercompetitive computer and electronics space, there is always a rush to be the first to market. That sometimes means the process of robust testing for security vulnerabilities in the devices and their APIs is left by the wayside. A few things to know:
- The IoT Cybersecurity Improvement Act leverages the purchasing power of the U.S. government to incentivize companies to ensure the devices they create and sell are secure.
- This law is an attempt to make manufacturers responsible for ensuring their devices and APIs are secure by testing with other third-parties.
- APIs allow services, software, and devices to communicate, powering the IoT.
- Cybercriminals can use APIs as a backdoor into organizations, where they can gain access to hardware, software, and sensitive or proprietary data.
This is important for a lot of reasons. Verizon has noted that while 71% of breaches were financially motivated, 25% were a result of espionage. Hackers can use these devices every day to communicate, operate your voice-activated device, schedule or attend a virtual doctors’ appointment, operate your wearable fitness tracker, and more.
The law has multiple aspects:
- It tasks the National Institute of Standards and Technology (NIST) with publishing standards and guidelines for managing security risks from the federal government’s use of IoT devices.
- It compels the Office of Management and Budget (OMB) to review the government’s information security policies and update per NIST recommendations, including those for federal civilian agencies.
- The law requires the NIST and OMB to update the IoT standards at a minimum of every five years.
- The act prohibits the purchase or use of any device that doesn’t comply with its requirements, except for certain mission-critical devices subject to a waiver.
- The law requires federal agencies to implement vulnerability-disclosure policies for IoT devices.
Though the intent is to place guidelines around the purchase and use of government electronics, the implications are much further reaching. Let’s look at why this law is an important step in advancing cybersecurity.
Why This Legislation Is Critical
Globally, online security and the threat from connected devices is growing, fueled in unexpected ways. These include, but are not limited to, the following scenarios.
Global Health Crisis
The COVID-19 pandemic has forced more companies to quickly adopt cloud technologies and other services. Unfortunately, the speed at which they must be operational — combined with the lack of adequate security training and expertise to configure or test the solutions — provides a perfect opportunity for hackers. Bad actors wait for opportunities that inadequate security affords them.
Consider the IoT as the perfect superspreader event for highly dangerous and infectious viruses, Trojan horses, distributed denial of service (DDoS) attacks, and ransomware throughout homes, businesses, and the government at the speed of 5G. What just a few years ago would have affected a few million users would now pale in comparison to the billions likely impacted. Now consider what that could do when it reaches critical infrastructure, hospitals, utilities, or the defense department. It could, quite literally, stop us in our tracks, shutting down communication, causing chaos, and making the country vulnerable to its enemies. On the other hand, breaching sensitive government data could impact the country and the world at a different level.
The Wikileaks breach, which saw 20,000 emails confiscated and disseminated from servers containing communication between Hillary Clinton and others in the DNC, may have affected the outcome of the 2016 presidential elections. Around that same time, the Mirai botnet caused widespread internet outages, attributed largely to insecure IoT devices. In 2018, 19 Chinese individuals, 18 Russians, 11 Iranians, and one North Korean were indicted for their state-sponsored espionage against the United States.
The most recent cybersecurity concern was the 2020 presidential election, a holdover from rumors of Russian interference in the 2016 election and fueling concerns about whether it could potentially be hacked by foreign governments to influence the outcome. There was a concerted effort by the Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency (CISA) to ensure the integrity of the election. A nationwide effort was also conducted through public-private cooperation.
The truth is that countless pieces of data — both accurate and inaccurate — and a growing number of device connections can reach billions of readers in no time at all. In the wrong hands, or used by the wrong types of individuals, each can wreak havoc.
The Legislative Obstacles in Getting It Passed
The IoT Cybersecurity Improvement Act was a result of several years of bipartisan effort. While there was little dissent that there was a need for more cybersecurity measures, there were still challenges to getting federal legislation passed.
The definition of IoT devices is extremely broad in the context of the law. There is no detail on the class or type of devices, and they are described loosely as any device that can connect to the internet and receive, collect, or send data. Critics call for a more detailed definition of IoT devices, including which devices are included and excluded.
There are also complaints of ambiguity in which research studies can be exempt from the guidelines. It seeks to add amendments to the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act to exempt security researchers “acting in good faith” from liability, yet it doesn’t specify what types, models, or class of devices are included. Detractors voiced concern that it will prevent companies from participating in critical research partnerships.
Push Back From Industry
One of the first opponents of the bill was the U.S. Chamber of Commerce, which claimed the law would unfairly burden the industry. This echoed complaints from businesses that would be subject to the guidelines and its potential ramifications.
In all these examples, the emergent need for legislation to set the wheels in motion for a cybersecurity framework overrode the concerns. The fact that it was the first promoting vulnerability disclosure in the private sector was a key to the unanimous passage. It was an important milestone, but the ultimate resolution to tighten definitions, identify and close loopholes, and enforce accountability will be a multifaceted evolution. Establishing more robust security standards will take a concerted effort from the government as well as private businesses.
What the Law Means for Our Future
Now that it is enacted, there are some things to watch for as the IoT space evolves under the new legislation:
Businesses have so far been reluctant to release details of known vulnerabilities in their devices or APIs as they release products in a rush to market to avoid inviting hackers to test them or giving an advantage to their competitors. The law requires contractors and subcontractors in the government supply chain to have a vulnerability disclosure policy, with the intent to better inform government purchases. However, the ultimate benefit of holding multiple stakeholders accountable throughout the device lifecycle is improved end-user transparency on known risks for the IoT devices and, hopefully, more robust security.
Better IoT device protection will evolve from more public/private partnerships. Cybersecurity experts will collaborate to help craft best practices and industry standards, informing the development of government security guidelines. A more holistic view will prevent loopholes unwittingly created by too narrow a perspective.
Though the bill was focused on the federal government, the fallout impacts the consumer market. Industry-led partnerships with the federal government will necessitate a singular, overarching set of guidelines to streamline the production of all IoT devices. Some manufacturers may choose not to sell products to the government in an attempt to circumvent the regulations. However, increasing scrutiny will bring more pressure to bear on all manufacturers to comply.
The IoT Cybersecurity Improvement Act will not be the end. Definitions are too broad and ambiguous, and it does not address the specific security guidelines, making compliance difficult. In the U.S., there are myriad state and industry standards that must somehow be brought together to ensure consistent adherence. We then need to watch how the international community responds to work toward global security.
The next year, particularly, will bring fresh challenges. Between the rapidly increasing threats, the continued need for more virtual connectivity in commerce and education, competition between computer and electronics manufacturers, and the new legislation, companies will have to up their cybersecurity efforts in a material way.
Investing in Cybersecurity
Cybersecurity is becoming increasingly critical in our hyperconnected world. Mounting pressure has prompted efforts by states and foreign governments, such as California’s first state law to address IoT cybersecurity, similar legislation to our federal act by the EU, and a rating system for IoT devices in Singapore. The IoT Cybersecurity Improvement Act is a catalyst that could impel industry and governments to work together to improve guidelines for ensuring safer and more secure devices while detailing specific penalties for noncompliance.
It can also lead to uncertainties for businesses when deciding on where to focus their cybersecurity investments in the interim, however. Contact Option3Ventures today to speak with an expert about any cybersecurity investment questions you might have.