The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
A bill to help strengthen the Wild West of the Internet world - the internet of things (IoT) - advanced this week.
A bipartisan bill designed to help thwart future attacks on critical government information technology infrastructure by safeguarding security around the internet of things, or IoT, was advanced by a investigative committee this week.
The House bill, dubbed the Internet of Things Cybersecurity Improvement Act of 2019, was advanced by the House Committee on Oversight and Reform on Wednesday. If passed, the bill would mandate that IoT devices purchased by the U.S. government meet certain security thresholds in order to ensure that individuals’ data and government networks remain safe from hackers.
The bill, H.R.1668, was introduced in the House back in March by U.S. Representative Will Hurd (TX-23), Rep. Robin Kelly (IL-02) while a companion bill, S.734 was introduced in the Senate by Senators Mark Warner (D-VA) and Cory Gardner (R-CO). Together the bills have 29 bipartisan cosponsors.
The gist of the bill is to establish what the politicians see as “light-touch, minimum security requirements for procurements of connected devices by the government.” Specifically the bill would compel the National Institute of Standards and Technology (NIST) to publish a report and issue guidelines around how to securely develop, identify, manage, patch, and configure IoT devices. Under the bill, NIST would also be directed to work in tandem with cybersecurity researchers and experts across the industry on coordinated vulnerability disclosure to further mitigate vulnerabilities in devices.
Independent of NIST, the Office of Management and Budget (OMB) would enact safeguards of its own under the bill, disseminate the guidelines to government agencies, ensure they’re on par with NIST’s research, and review the policies at least every five years. The OMB would also take NIST’s vulnerability disclosure standards and encourage agencies to follow them.
According to the text of H.R.1668, Hurd and company hope that NIST's review could be done by September 30, 2019 and that NIST's guidelines for minimizing IoT cybersecurity risk could be done by March 31, 2020.
While unrelated to this bill, NIST has taken steps
In April it posted a draft practice guide around what consumers should expect from IoT device manufacturers through the prism of Internet Engineering Task Force’s (IETF) Manufacturer Usage Description (MUD) Specification, an architecture that outlines "a means for end devices to signal to the network what sort of access and network functionality they require to properly function." The guide, "Securing Small Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD)," also shares insight around whether MUD protocols can "reduce the potential for harm from exploited IoT devices."
The laboratory, which is a non-regulatory agency of the U.S. Department of Commerce, has also released publications to help federal agencies manage IoT cybersecurity and privacy risks and started an IoT program to foster stakeholder engagement.
“We live in a world where we’re becoming increasingly dependent on connected technology. In fact, millions of everyday devices – such as cars and refrigerators – are now connected to the internet. Frankly, it’s alarming that we still lack basic security standards for these devices, particularly for government-owned connected technology. Right now, our nation faces a myriad of cyber threats and today’s markup of this bipartisan bill takes an important step in improving our nation’s cybersecurity posture,” Warner said of the bill on Wednesday.
If it seems like government sector has been talking about securing IoT for a while, it’s because that’s pretty much been the case.
The Chief Information Officer for the U.S. Department of Defense warned about the dangers of IoT nearly three years ago in a report summarizing policy recommendations,
“The immense promise of this technology comes with immense risks. While there have always been risks to DoD sensors and controls, their proprietary nature and isolation limited the possibility of attack. Now, with such capabilities being given Internet access, DoD is entering a quickly deepening pool of vulnerability,” Terry Halvorsen, then DoD CIO, now CIO/EVP at Samsung Electronics, said of IoT at the time.
79 percent of businesses interviewed in a Gemalto report (.PDF) issued last year called on governments to provide more robust guidelines around IoT security. Slowly but surely, it seems as if those guidelines are forthcoming.