Leading up to the Presidential inauguration of Joe Biden, his Peloton had become a matter of national security. Equipped with a camera and a microphone, the President’s stationary bike has been considered a prime target for hackers, which led to a debate as to whether he should even bring it into the White House.
Now, multiply that matter by millions, and you have some idea of the challenge facing the federal government as it pertains to interconnected devices. That was the impetus behind the Internet of Things Cybersecurity Improvement Act of 2020 (a.k.a. the IoT Cybersecurity Improvement Act of 2020), which was signed into law on December 4, 2020.
The aim of the bipartisan bill, which was introduced in 2017 by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.), is to establish baseline security requirements for IoT manufacturers hoping to contract with the federal government. And, according to the website Cyberscoop.com, it is viewed as “arguably the most significant U.S. IoT-specific cybersecurity law to date, as well as the most significant law promoting coordinated vulnerability disclosure in the private sector to date” by Harley Geiger, director of public policy for the cybersecurity company Rapid7.
This bill empowers the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to batten the cyber-hatches. Specifically, those bodies must develop baseline cybersecurity guidelines for all federal agencies.
The hope is that it will in turn lead to an upgrade in the standards of those manufacturers who contract with the government. The additional hope is that those standards become commonplace, whether a company is working with the government or not.
“Of course it depends on the business and how much business they think they can get from the federal government,” Rep. Robin Kelly (D-Ill.), who sponsored the bill in the House of Representatives, told Cyberscoop. “I think it will sway some. I’m not gonna say it will sway all.”
If nothing else, it represents a baby step, a noble attempt at securing the ever-expanding cyber-border. By some estimates, there will be between 500 billion and one trillion connected devices around the world by 2030. And as Chris Hazleton, Director of Security Solutions at the mobile-security-solutions firm Lookout, told Security Magazine:
IoT devices are growing in diversity in terms of capabilities and price points, so there is pressure on manufacturers to rush devices to market, which means they often cut corners to maintain margins. Cybersecurity is often seen as a last-minute and costly add-on that manufacturers skimp on. Hundreds of millions of devices and network hardware have been delivered to market with simple default admin passwords. This creates a massive attack surface for any organization that deploys and relies on these connected devices.
Limiting that attack surface promises to be more and more difficult in the years ahead. But this bill begins to address that. It raises awareness, and will hopefully lead to an across-the-board improvement in security standards — standards that will forever need to be tweaked and upgraded. We can be sure that the hackers will never rest. Those on the other side of the equation can’t afford to either.