Last week the United States Congress passed cybersecurity legislation that will set security requirements for any manufacturer of IoT devices that wants to sell to the US government. In addition, government will incorporate those security requirements into procurement rules ensuring that only devices that meet those requirements can be purchased. This is not going to solve cybersecurity overnight, but is good initial progress on IoT security using one of the levers the government has, purchasing power.
This legislation is needed as IoT devices have long been a security challenge for many reasons including:
- Many IoT are used in botnets which do not directly impact the owner of the device, making it hard to show the problem.
- There is no real evidence (that I know of, send some over if you have good research) that people will pay more for security.
- Device owners, both consumer and enterprise, may not even be aware of the risk and connectivity of their device
Also, this legislation is building on a lot of previous work. Lots of folks have been looking at this and even I have been in lots of discussions in government and outside of government. There have been good ideas around various security labeling options, consumer education, and regulation, in addition to leveraging what other countries have done. The UK, EU, Singapore, Australia, and maybe others have implemented either voluntary requirements, labeling systems to inform consumers, or mandatory requirements, and the US can learn from their experience.
When ideas around government requirements came up in my previous life the pushback was always that government was too small a piece of the market. I assume that this is still a concern, but the hope/assumption is that when government sets a baseline a fair number of other industries will adopt those baselines and eventually manufactures will have to follow it.
There was likely pushback from various manufactures or industries who would claim that baseline security requirements are a burden. A million years ago when I worked on the NIST Cybersecurity Framework as a contractor at NIST I heard this from many industries which is one of the many reasons it is a voluntary framework. But IoT devices are different than risk management programs across industries or companies of very different maturity and resources and I am glad the legislation was passed to start the process of getting hard requirements in place. Now there will be lots of fun discussions at NIST between smart folks from government and industry on what the specific requirements should be, but at least there is momentum.