Congress Revisits IoT Legislation: What You Need to Know
By Chris Souza | April 18th, 2019
I was having lunch with one of my long-term MSP clients the other day, and we were discussing what the next ten years of his business might look like in relation to the technological advancements taking place all around us. He was particularly excited about the implications of the Internet of Things (or “IoT” for short), and with good reason. If you had to single out a trend that has the potential to virtually transform the way we work, it would be that one.
According to one recent study, there will be about 20.4 billion devices connected to the IoT as early as next year, including 90% of all automobiles which will even be connected to the Internet by about the same period of time. As a concept, it’s going to shape not only how data is used and accessed but also how it will be managed…
… which, of course, means that we also have to start thinking that much more about cyber security.
Over the last few years, there has been a fairly continuous market and legislative failure to secure IoT devices within the consumer space in order to reflect these changes in business technology. Maybe the best example of this comes by way of St. Jude Medical’s cardiac devices that were discovered to be hackable by experts at the FDA. Things like pacemakers and defibrillators are used to monitor patients and prevent heart attacks, but these devices in particular could also be easily accessed by a hacker rendering both the patient and medical device provider in a precarious situation.
When you’re talking about potentially losing your credit card number to a phishing scam, that’s one thing. When a device that is literally supposed to save your life can also be hacked from inside your body, that’s another matter altogether.
In an effort to get ahead of this problem as soon as possible, Congress recently debuted the “Internet of Things (IoT) Cyber Security Improvement Act of 2019.” It was designed in part to help not only protect consumers, but to also establish minimum security requirements – particularly as they relate to federally procured connected devices. What this means today and what it could mean moving forward are both ideas that are certainly worth a closer look.
The Importance of Vendor Commitments
One of the biggest themes of the legislation requires an “all hands on deck” approach to IoT cybersecurity. Moving forward and unlike before, IoT medical device manufacturers and vendors themselves have to now continue supporting their assets long after they’ve rolled off the factory floor and into the hands of the people who will actually be using them.
Most people don’t realize that as of today, most IoT devices are NOT routinely maintained and critical updates and patches are not usually applied by the vendor. This legislation aims to change that, and the old saying of “you’re only as good as your latest security update” is going to become even more relevant when there are billions of connected devices in the field.
The newly proposed bill outlines how vendors are supposed to address known vulnerabilities, too. VM scans, security assessment audits and true log monitoring aren’t just a way to guarantee that devices are protected against all known vulnerabilities, they’re also an opportunity to maintain your compliance status over the long-term and ensure a degree of consumer confidence.
If vendors find vulnerabilities under these new regulations, they must now disclose them to relevant regulatory agencies as well as HOW their device is secured and what steps they’re taking to limit the impact of that issue. This may be one of the areas where the bill could still use a bit of work, as any vulnerability is still a vulnerability regardless of the tools you’re using. “Limiting the impact” of a problem and “solving” the problem are two different things, after all.
Another somewhat concerning part of the bill comes by way of some “flexibility” it is supposed to offer to certain organizations and what it is referring to as “modest new device security requirements.” According to the legislation, these requirements can be waived if an agency employs their own “equivalent or more rigorous device security requirements,” or if third party device certification standards provide that equivalent (with NIST being given as an example).
This, of course, asks more questions than it answers. At that point, who will be accountable in the event that a breach occurs? Will it be the auditing authority or the device manufacturer? Who is going to verify a company’s security posture so that they can waive out of these requirements in the first place? How is this particular part of the bill going to be enforced moving forward?
Take DFARS, for example. We’ve written at length in the past about how DFARS enforcement leaves a lot to be desired. According to this bill, it would also provide “equivalent or more rigorous device security standards” than those being proposed – thus offering a workaround for businesses. But if nobody actually enforces DFARS, has anything actually changed? At that point, will this bill accomplish anything at all? It’s hard to say.
A Step in the Right Direction
All told, this new legislation does provide a helpful starting point to start securing the billions of Internet-connected devices we’re all going to be dealing with by as soon as next year. However, it’s overall effectiveness in its current state remains to be seen. Certain industry experts are already on board – representatives from the Harvard University Berkman Klein Center for Internet & Society, Mozilla and the Harvard Kennedy School of Government are very optimistic about how positive this has the potential to be.
The rest of us, however, will just have to wait and see. This is a piece of legislation that was certainly crafted by people who understand how important this topic is about to become.
About Chris Souza
Chris Souza and his team at Technical Support International have spent years helping organizations of all types protected themselves from both existing and emerging security threats. As the CEO of TSI, Chris spends his days helping business leaders leverage all of the benefits that modern technology has to offer, with as few of the potential downsides as possible.
It’s Your Move!
Whether it ends up actually protecting a landscape that is going to become incredibly complex incredibly quickly is something we will all find out together in the not-too-distant future.