Growing awareness regarding cybersecurity concerns with the Internet of Things (IoT) has achieved a milestone with the promulgation of the IoT Cybersecurity Improvement Act (the Act), which was signed into law by President Donald Trump on December 4, 2020. The Act requires the development, adoption and implementation of security standards for IoT devices by the federal government. Government contractors now have a new set of obligations relating to IoT cybersecurity compliance. Although the Act is the first federal law specifically targeting IoT cybersecurity, a California law requiring “reasonable” and “appropriate” IoT cybersecurity took effect January 1, 2020, and the U.K. also has IoT cybersecurity regulatory efforts underway. The Act was written in response to major distributed denial of service (DDoS) attacks, including one in 2016 in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, orchestrating their use in overwhelming and disrupting commercial web services. The threat hit closer to home for the federal government in 2017, when it was discovered that Chinese-made Internet-connected security cameras were using previously undetected communications backdoors to “call home” to their manufacturers, presenting a risk that what was visible to a camera’s lens was also visible to our geopolitical rivals.
The IoT devices covered under the Act include any physical object that is capable of being in regular connection with the Internet or a network that is connected to the Internet, and that has computer processing capabilities of collecting, sending or receiving data. In response to the vast consumer and commercial markets for such devices, many vendors have pushed to sell them without attention to basic security. One of the main problems with IoT security is that the rush to market often de-prioritizes security measures that need to be built into these devices. Criminals can exploit vulnerable products by leveraging their computing power, orchestrating massive IoT botnet campaigns to disrupt traffic on targeted services and to spread malware. Moreover, by compromising an IoT device, attackers can not only disable or manipulate the compromised device, but also potentially extend their reach further on the networks to which the device is connected to potentially access personal or other sensitive information. In a world where IoT devices have become ubiquitous and increasingly relied upon, the cybersecurity stakes are monumental.
The Act requires security standards and guidelines to be published by the National Institute of Standards and Technology (NIST) by March 4, 2021, although NIST does have a head start in carrying out this directive given its numerous ongoing, related initiatives (see https://www.nist.gov/internet-things-iot). (The European Union Agency for Cybersecurity (ENISA) has also published several recommendations and studies on IoT security. See https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/iot.) Specifically, the Act directs NIST to ensure the consistency of its publication pursuant to the Act with its existing guidance regarding IoT vulnerabilities and considerations about how they should be managed, including in the domains of secure development, identity management, patching and configuration management. The NIST standards and guidelines will then be incorporated into federal government information security policies and principles as well as Federal Acquisition Regulations by September 4, 2021.
Also by September 4, 2021, NIST must publish certain guidelines, including guidelines on IoT vulnerability information sharing and resolution for IoT devices “owned or controlled by an agency.” Of much wider concern to many businesses, NIST must also publish guidelines for government contractors providing IoT systems “and any subcontractor thereof at any tier providing such information system to such contractor.” These broadly applicable guidelines are to address information sharing regarding “a potential security vulnerability relating to the information system” and the resolution of such vulnerabilities. Subject to limited exceptions, government agencies are prohibited from buying or using IoT devices that do not comply with the NIST standards and guidelines.
Finally, the Act requires contractors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
Impact and Considerations
The promulgation of the Act means that the starting gun has already been triggered for businesses that need to evaluate and remediate the security of their IoT systems. Given the timelines required under the Act and the broad spectrum of security domains impacted by it, a “wait and see” approach is no longer a workable strategy for most organizations. Fortunately, with the Act requiring that the forthcoming NIST standards and guidelines be consistent with the existing NIST guidance on IoT, the Act enables businesses to take action immediately, with confidence that it will not be countermanded by future requirements.
Many businesses have not developed or updated their vulnerability management programs to the degree that would be required under the Act, in particular with respect to IoT. Since developing such programs requires attention to a number of legal, business and technical considerations, and the balancing of a number of significant concerns for enterprise risk management, the time to effectuate these programs is now. These programs need to extend beyond the IoT device itself. For example, the application layer of most IoT technologies is critical to their successful implementation, providing the ability to install, operate, manage and update a device as well as connect it to other integrated systems. These applications are no less susceptible to security vulnerabilities than are traditional web or mobile applications, and the Act requires identifying and communicating such vulnerabilities. Moreover, making changes to sensitive processes such as software development or patching and configuration management may require identification, evaluation, procurement or development, and implementation of new technology, or the hiring or training of human resources with new skills, none of which happens overnight.