Congress Passes IoT Security Act, but is it Toothless?
The House and the Senate have both passed a bipartisan bill to shore up the security of “internet of things” devices. So, job done?
H.R.1668 – IoT Cybersecurity Improvement Act of 2020 mandates new standards for IoT stuff. However, it’s only applicable to devices bought by federal agencies.
But it was just a bill. Yes—only a bill. And they voted for it on Capitol Hill. In today’s SB Blogwatch, it’s off to the White House, where it’ll wait in a line, with a lot of other bills, for the president to sign (or not).
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: M1.
NIST and OMB to Lead
What’s the craic? Kieren McCarthy reports—“Congress just approved an IoT security law and it doesn’t totally suck”:
Every now and again the US Congress manages to do its job. [The Act] is actually pretty good: it asks … NIST to come up with guidelines for Internet-of-Things devices and would require any federal agency to only buy products from companies that met the new rules.
…
Industry has also got behind the effort. … And Congress has managed to keep its fingers out of things it knows nothing about by leaving the production of standards with the experts. … This new law does mean that for those looking for good, secure products, there will be a baseline standard across the industry.
…
[It’s a] critical issue: the attaching of … billions of devices to the internet; many of which have poor security. [The] passing is cause for celebration: a federal, nationwide approach is going to be more effective than a series of state laws.
…
It is not a full solution. … But this is an essential first step.
And Lindsey O’Donnell—“IoT Cybersecurity Improvement Act Passed, Heads to President’s Desk”:
Security experts are applauding the recent stamp of approval by the U.S. Senate. [It] was led in bipartisan sponsorship by Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.). … The next step is for it to be sent to the president to be signed into law.
…
It mandates that NIST must issue standards-based guidelines. [But] the Office of Management and Budget (OMB) must also implement requirements for federal civilian agencies to have information-security policies that are consistent with these NIST guidelines. … Federal agencies must also implement a vulnerability-disclosure policy.
…
NIST has [already] been developing “considerations” for manufacturer-based IoT security measures. … NIST’s EU counterpart, the European Union Agency for Network and Information Security (ENISA), has already published baseline security recommendations for IoT devices. [And] in 2019, the U.K. government announced a mandate promising new requirements [including] improvements around unique device passwords and policies around security updates.
So what of the inevitable loopholes? Kristin Bryan notes room to wiggle—“Legislation Clears Congress, Heads to White House”:
[It] contains a procurement provision: The head of any federal agency is prohibited from “procuring or obtaining, renewing a contract to procure or obtain, or using an [IoT] device,” if the Chief Information Officer of that agency determines during a required review for “a contract for such device that the use of such device prevents compliance with the standards and guidelines.” … There are three limited grounds for waiver of this requirement – including if the CIO of the agency determines that:
- The waiver is necessary in the interest of national security;
- Procuring, obtaining, or using such device is necessary for research purposes; or
- Such device is secured using alternative and effective methods appropriate to the function of such device.
Sounds good? Let’s be frank, Frank Burly: [You’re fired—Ed.]
Requiring Federal agencies to buy IoT devices meeting a minimum security standard creates a market for secure IoT that didn’t previously exist. And now when the Chinese know that the guys in Cheyenne Mountain prefer the temperature to stay between 74 and 78F, they at least won’t know which guy keeps setting it to 84.
But sunstone sounds slightly sarcastic:
With Chinese and Russian operatives creeping into every wifi router on the globe IoT security becomes an actual issue of national security with only political downside for not addressing it. Clap, clap, clap.
The mandating of updates sounds excellent, right? Wrong, says Mike 16:
I’m more concerned about the standards governing how and when devices are updated to insert security holes. Plus the charming belief that some of these agencies will disclose the security holes they use.
But who cares if the government knows the temperature I set at home? Stop thinking like that, thinks DontBeAMoran:
Before you think, “who cares if the government knows the temperature I set at home?”, imagine being billed even higher for setting your heating system at “temperatures above government approved levels.”
It’s a slippery slope, unfortunately we already have people buying spying devices with their own money and bringing them voluntarily into their homes. Soon, people without those spying devices will be offered free ones, then it will be law to own at least one of those in your home. Then it will become illegal to block the cameras and microphones of those devices.
If you think that’s crazy, remember that we all thought smart speakers were a crazy idea when they came out and that nobody in their right mind would buy those. Just wait a few years and the crazy becomes the new normal.
Let’s see who’s paying attention. DJV is, and spots the procedural oint in the constitutional flyment:
It looked good until I saw the bit that said, “It will now move to the President’s desk.” What’s he going to do with it? Eat it? Turn it into a paper airplane?
…
Or can we live in hope that he won’t notice it until Biden takes over?
Meanwhile, this Anonymous Coward has heard it all before:
The US government previously mandated OSI networking in its own procurement, and later, IPv6. Neither appears to have had a huge impact on commercial networking.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Shelly ʕ•ᴥ•ʔ (cc:by)
