New US IoT law aims to improve edge device security

As the world moves toward interconnection of all electronic devices, the proverbial internet of things (IoT), device manufacturers prioritize speed to market and price over security. According to Nokia’s most recent threat intelligence report, IoT devices are responsible for almost a third of all mobile and Wi-Fi network infections.

This ratio will likely grow dramatically as the number of IoT devices continues its exponential growth. A recent report from Fortinet warns that the rapid introduction of edge devices will create opportunities for more advanced threats, allowing sophisticated attackers and advanced malware to “discover even more valuable data and trends using new EATs [edge access Trojans] and perform invasive activities such as intercept requests off the local network to compromise additional systems or inject additional attack commands.”

The Internet of Things (IoT) Cybersecurity Improvement Act, passed by the House in September and unanimously approved by the Senate last week, is a step toward warding off these threats and providing greater security in IoT devices. The act is headed to the desk of President Trump, who is expected to sign it into law.

The goal of the act, in the words of Congresswoman Robin Kelly (D-IL), one of the original sponsors of the legislation along with Representative Will Hurd (R-TX), is to “ensure that the US government purchases secure devices and closes existing vulnerabilities to protect our national security and the personal information of American families.” It aims to create “standards and guidelines” for the federal government to follow with the hopes that the requirements also make their way into private sector manufacturing.

NIST to publish IoT security standards within 90 days

The bill expects these standards and guidelines to be developed “collaboratively within and among agencies in the executive branch, industry and academia” and defines the IoT according to the second draft of the National Institute for Standards and Technology (NIST) Interagency or Internal Report NISTIR 8259, which was first published in January 2020 and then revised in July. Consistent with that NIST Definition, IoT devices must:

• Have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional information technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood.
• Can function on their own and cannot only function when acting as a component of another device, such as a processor.

Under the bill, the legislation requires the director of NIST to publish within 90 days of enactment standards for the federal government on the appropriate use and management of IoT devices by agencies, including minimum information security requirements for managing cybersecurity risks associated with such devices.  These standards and guidelines have to be compatible with NIST’s existing efforts related to IoT devices and must incorporate identity management, patching and configuration management.

Six months after NIST publishes its standards, the director of the office of management and budget (OMB) will, after consulting with the director of the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS), review the standards published by NIST. Any policy related to the act published by OMB will not apply to telecommunications or information systems that involve intelligence, military, or weapons systems. OMB will also be responsible for updating any policy or principles every time the NIST director reviews the IoT standards and guidelines, which the act says should be every five years.

The act also requires the NIST director to consult with industry and academia to develop within 180 days guidelines to report, coordinate, publish, and receive information about security vulnerabilities in IoT devices. The NIST director will also be responsible for reporting such vulnerabilities and disseminating information about them.

Finally, every two years after the bill’s enactment, the comptroller of the US will submit unclassified reports to the relevant House and Senate Committees to report on a waiver process set up in the act that allows OMB to issue waivers of the law’s provisions. One year after the Act is enforced, the comptroller general will brief the same committees about the broader IoT effort and submit the same report every two years.

Legislation envisioned by Cyberspace Solarium Commission

The successful passage of this legislation and the overwhelming support it garnered among lawmakers is due in no small part to the Cyberspace Solarium Commission, a bicameral, bipartisan public-private initiative designed to tackle some of the more intractable problems in digital security. In May, the Commission issued a white paper on “Cybersecurity Lessons Learned From the Pandemic,” which recommended that Congress pass an IoT security law.

Arguing that the law should only be minimally prescriptive, as the IoT Cybersecurity Improvement Act is, the paper advocated that “law should focus on known challenges, like insecurity in Wi-Fi routers, and mandate that these devices have reasonable security measures, such as those outlined under the National Institute of Standards and Technology’s “Recommendations for IoT Device Manufacturers.”

The original set of recommendations from the Commission did not specifically mention IoT devices. Still, the pandemic drove home the point that the vast swath of devices people use to work from home greatly expand the US digital attack surface, Robert Morgus, director of research and analysis for the Commission, said when introducing the IoT legislation recommendation in June. “We wanted to be minimally prescriptive when we talked about this, so we really went for real baseline requirement and recommendations, things like ensuring you have unique authentication built-in by default and asking that when an IoT device first gets connected to the network that the user has to enter a new authentication user ID and password and ensuring that devices are patchable.”