Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Off-Prem

Edge + IoT

Hard to believe but Congress just approved an IoT security law and it doesn't totally suck

Secure coding, identity management, patching, configuration controls, what madness is this?

Kieren McCarthy Wed 18 Nov 2020  //  20:51 UTC

Every now and again the US Congress manages to do its job and yesterday was one of those days: the Senate passed a new IoT cybersecurity piece of legislation that the House also approved, and it will now move to the President’s desk.

As we noted back in March when the IoT Cybersecurity Improvement Act was introduced, the law bill is actually pretty good: it asks America's National Institute of Standards and Technology (NIST) to come up with guidelines for Internet-of-Things devices and would require any federal agency to only buy products from companies that met the new rules.

It gives a minimum list of considerations to be covered: secure code, identity management, patching and configuration management. It also requires the General Services Administration – the arm of the federal government that sources products and comms for federal agencies – to come up with guidelines that would require each agency to report and publish details of security vulnerabilities, and how they resolved them, and coordinate with other agencies.

Don't be too shocked, but it looks as though these politicians have actually got their act together on IoT security

READ MORE

Industry has also got behind the effort - Symantec, Mozilla, BSA The Software Alliance (which includes Apple, Microsoft, IBM, Cloudflare, the CTIA and others) - and Congress has managed to keep its fingers out of things it knows nothing about by leaving the production of standards with the experts, using federal procurement to create a de facto industry standard.

It’s not perfect of course. Companies will still be able to produce products that don’t meet the new standards and so there will continue to be insecure products aimed at consumers at lower prices, pretty much guaranteeing that cybersecurity is going to continue to be a major problem for the internet of things. And the law hasn’t taken on the fundamental issue of how and when devices are updated to deal with emerging security holes.

But this new law does mean that for those looking for good, secure products, there will be a baseline standard across the industry.

Good first step

The legislation was passed unanimously by the Senate and is the biggest piece of legislation on this critical issue: the attaching of millions - billions - of devices to the internet; many of which have poor security.

Assuming the president signs it, it will start taking effect next year - the original timeline of NIST recommendations by September was blown through thanks to Congress doing what it does best - arguing itself into stasis.

But its passing is cause for celebration: a federal, nationwide approach is going to be more effective than a series of state laws (both California and Oregon have already passed IoT security bills).

It is not a full solution. As noted above, it doesn’t require companies or anyone outside the federal government to produce or buy products that meet the new standards. So the market will continue to pump out insecure IoT devices; which in turn will create huge opportunities for botnets and DDoS attacks and data theft and so on.

But this is an essential first step to getting secure IoT in place. Who knows, maybe Congress will surprise us all again and set aside resources to push and promote the importance of buying products that do meet the new standards. Well, we can dream. ®
Send us news
20 Comments

Microsoft hosts a security summit but no press, public allowed

CrowdStrike, other vendors, friendly govt reps…but not anyone who would tell you what happened

Security biz Verkada to pay $3M penalty under deal that also enforces infosec upgrade

Allowed access to 150K cameras, some in sensitive spots, but has been done for spamming

Alleged Karakut ransomware scumbag charged in US

Plus: Microsoft issues workaround for dual-boot crashes; ARRL cops to ransom payment, and more

White House thinks it's time to fix the insecure glue of the internet: Yup, BGP

Better late than never

CrowdStrike's meltdown didn't dent its market dominance … yet

Total revenue for Q2 grew 32 percent

Volt Typhoon suspected of exploiting Versa SD-WAN bug since June

The same Beijing-backed cyber spy crew the feds say burrowed into US critical infrastructure

Microsoft security tools questioned for treating employees as threats

Cracked Labs examines how workplace surveillance turns workers into suspects

Watchdog warns FBI is sloppy on secure data storage and destruction

National security data up for grabs, Office of the Inspector General finds

Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear

The government-backed crew also enjoys ransomware as a side hustle

Transport for London confirms cyberattack, assures us all is well

Government body claims there is no evidence of customer data being compromised

House to grill CrowdStrike exec on epic IT meltdown... no, not the CEO

VP Adam Meyers to testify about that faulty software update which ruined July and some of August

GPT apps fail to disclose data collection, study finds

Researchers say that implementing Actions omit privacy details and expose info