For many, being able to securely connect, access, and move data across multiple devices is an integral aspect of everyday life. Some of our nation’s lawmakers are wanting to ensure that the internet connected devices that they use have the same established cybersecurity standards that the public has come to expect in the private sector. Lawmakers got one step closer to making that a reality this week.
The U.S. House of Representatives passed the Internet of Things ("IoT") Cybersecurity Improvement Act, known as House Bill 1668, earlier this week, which seeks to establish security standards for the federal purchases of internet-connected devices and the private sector groups providing such devices.
Currently, there is no national standard to ensure the security of internet-connected devices purchased by the federal government. Under the proposed law, these internet-connected devices, which would include computers, mobile devices and other devices that have the ability to connect to the internet, would now have to comply with minimum security recommendations issued by the National Institute of Standards and Technology ("NIST"). The bill does not lay out what those standards should be; rather, it tasks the Office of Management and Budget to oversee that adopted IoT cybersecurity standards are in line with minimum information security requirements.
Devices covered under the bill
The bill would not only cover computers and smart phones used by federal government officials. The legislation defines a covered device to include a physical object that is capable of being in regular connection with the Internet or a network that is connected to the Internet, and has computer processing capabilities of collecting, sending or receiving data. It would not include personal cell phones or personal computers. It also exempts devices that are necessary for “national security” or “research purposes”.
Obligations on the private sector under bill
The bill would require contractors and their subcontractors that provide covered devices to the federal government to notify government agencies of any security vulnerabilities. While security standards are being considered, private sector providers, contractors and subcontractors can look to Standards 29147 and 30111 in the International Standards Organization for guidance since bill drafters explicitly cited to them in the Act. There’s a process for companies to challenge whether their devices are covered under the bill as well.
Cyberthreat on IoT
The Mirai botnet attack in 2016 served as the drive for the Bill’s sponsors. Recall that the Mirai botnet attack left millions in the East Coast, among other locations, without access to many popular websites for a few hours in late October of 2016. The attack blocked unsecured internet connected devices from accessing popular websites such as Twitter, Netflix and the New York Times in order to carry out a cyber attack.
While Mirai primarily impacted internet connected computers, for many, including the IoT Cybersecurity Improvement Act sponsors, the Mirai attack showed just how debilitating a cyber attack can have on a heavily connected internet life, and the havoc attackers can create on unsecured internet connectable devices and the lives that depend on their functionality. Internet connected devices, or IoT devices, are devices which can be controlled or accessed using the internet, including everything from webcams to baby monitors to gaming consoles. It includes any exercise tracker or a programmable lock to your home. According to some estimates, there will be close to 75 billion IoT connected devices by 2025. The IoT Cybersecurity Improvement Act would work toward ensuring the government’s IoT connected devices containing the nation’s top data information are secure.
Up next for the bill
The IoT Cybersecurity Improvement Act heads next to the Senate floor, after passing unanimously by the House.