The House of Representatives has passed a bipartisan bill requiring that all Internet of Things devices purchased by the government meet minimum security requirements. The Senate will likely pass the measure and send it to the president’s desk for his signature.
The Internet of Things describes the interconnection via the internet of computing devices contained within everyday objects, enabling them to send and receive data. Examples include smart home security systems, connected appliances, wearable health monitors, and wireless inventory trackers.
The IoT Cybersecurity Improvement Act, approved by voice vote in the House on Sept. 14, directs the National Institute of Standards and Technology to create security standards that government agencies would have to follow when purchasing IoT devices.
Sponsors of the bill say it would use government procurement rules to drive forward more robust security in IoT systems, following a host of vulnerabilities and breaches in recent years.
“While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure in order to protect Americans’ personal data,” Rep. Robin Kelly, an Illinois Democrat and a sponsor of the bill, said in a statement. “The IoT Cybersecurity Improvement Act would ensure that taxpayers dollars are only being used to purchase IoT devices that meet basic, minimum security requirements.”
Sen. Mark Warner, a Virginia Democrat sponsoring a similar bill in the Senate, will push for passage of the House legislation by unanimous consent in the coming days, a spokeswoman said. Warner has been pushing to pass similar IoT security legislation since 2017.
Cybersecurity experts praised the bill’s House passage, even if it does not directly address the security of millions of consumer-grade IoT devices already deployed, including smart TVs, fitness trackers, smart appliances, and home-based voice assistants.
The bill is a “step in the right direction” for improving IoT security over the long term, said Dustin McEarchern, the chief security officer at ProTechnical, a managed services and security provider based in Reno, Nevada.
“In the short term, however, there are still hundreds of thousands or even millions of IoT devices in existence that may be vulnerable to known or unknown exploits,” he told the Washington Examiner.
In addition to the current bill, McEarchern called on IoT device manufacturers to be held accountable for their products and the damage they do.
The bill should improve IoT security because federal agencies are big purchases of the devices, added Mike Nelson, vice president of IoT at encryption certificate vendor DigiCert.
The legislation “clearly states that the federal government will not purchase devices that do not comply with the standards and guidelines that are the result of this bill,” he told the Washington Examiner.
“Because of this, I believe manufacturers will pay attention and do whatever is necessary to keep the federal government as a potential buyer of their devices.”
However, it’s unclear yet what security standards NIST will push out, and agencies will have two years to adopt them, Nelson added. “I believe that is too long, and the government should move more quickly to get the standards and guidelines implemented,” he said.
Nelson added that the bill wouldn’t directly affect IoT companies that do not sell products to the government. However, “these companies could still use the standards and guidelines developed as a reference guide to help them implement good IoT product development security practices,” he said. “My hope is that these standards and guidelines will drive manufacturers to change the way they develop IoT devices.”
Many IoT device manufacturers serve both the government and consumer markets, noted Brad Ree, CTO of ioXt Alliance, which pushes for global IoT security standards. Because of the overlap, the bill should drive some additional security to consumer-grade devices.
“There are a lot of smart home manufacturers that also sell commercial products, and with this bill, it’s not practical for a manufacturer to follow different sets of standards and build two different versions of the same connected products,” Ree told the Washington Examiner. “It may start out for federal devices, but this bill opens the door for higher standards for security of IoT products in general, which will better protect consumers.”
