The Gap Between U.S Federal and State Policies for IoT Security

In a recent article about U.S federal policy concerning IoT security, Justin Sherman identified several gaps in both cybersecurity and privacy policies. As Sherman has highlighted:

The United States federal government, like the rest of the world, is increasingly using IoT devices to improve or enhance its existing processes or to develop new capabilities altogether. But its policies on how to use those devices haven’t nearly kept pace. Not only is this problematic in theory—imagine, for instance, what would happen if thousands of electrical grid IoT sensors were hooked up with weak passwords and no strong encryption—but this has already threatened national security: Back in January, when researchers tracked U.S. military personnel over the Internet via their wearable devices, we saw the real dangers of using IoT devices without robust data privacy protections. This happened again over the summer when researchers traced military and intelligence personnel from around the world through the fitness tracking app Polar. In short, the government continues to implement IoT systems, as do their employees—that isn’t going to stop—but it’s happening without the proper policies to ensure it occurs safely.

At the same timeframe, California was to be the first State to sign a bill to set cybersecurity standards for web-connected devices. The California bill seeks to address some of the security flaws identified during the Mirai botnet attack, setting baseline cybersecurity standards for IoT devices where none exist. Although this bill could lay the groundwork for stronger IoT cybersecurity legislation at both the state and federal level, the bill’s language is too vague to be effective, and it offers an example of how not to approach IoT security.

Security researcher Robert Graham said that despite the good intentions, the bill “would do little improve security” because “it’s based on the misconception of (Read more...)