The now-expired 115th Congress left behind plenty of unfinished cyber business — rules for driverless cars and reauthorizing the DHS, for instance — but there’s a sleeper cyber issue that could grab lawmakers by their digital lapels: legislation setting security controls and expectations around the so-called “Internet of Things,” which includes everything from mobile phones to connected cars.
The potential for hacks affecting traffic lights, airplane controls, or even children’s toys has created lurid cyber scenarios. Business groups are exceedingly worried about security issues, liability, and reputational harm related to IoT devices, while consumers are inundated with warnings about their devices being hacked.
“In 2019,” said Andrew Howard, global chief technology officer of Kudelski Security, “cybercriminals will take advantage of IoT as a platform and … this will likely increase the cost of controls and compliance as well as spur new regulations that will mandate industry to disclose cyberattacks and hold companies accountable.”
That’s all conspiring to create momentum for pushing legislation forward.
“If we finish 2019 with a better handle on IoT security, I’ll be very pleased,” said Matthew Eggers, vice president for cybersecurity policy at the U.S. Chamber of Commerce. “A key reason to focus on IoT is it has a very strong public-private partnership construct. Government and industry are both looking to make progress.”
For the U.S. Chamber, which represents makers of IoT devices as well as many companies that use these products, “strengthening IoT security and increasing the [consumer] demand for secure devices” is a key objective for the new year, Eggers said.
He pointed to the National Institute of Standards and Technology as a federal agency that could take the lead on this issue, as it is both favored by industry for coming up with technical solutions and trusted by consumer-advocacy groups as an honest broker.
“We want to work with NIST on what security features should be across devices and for specific industries,” Eggers said. “Security baselines should be built into devices, and we need to have consumers aware of which ones are stronger — and to buy those devices.”
The Commerce Department — NIST is a Commerce agency — “is best positioned to convene these efforts,” Eggers said.
Government should play “Big Partner,” not “Big Brother,” in setting such standards, he commented.
Eggers said he is “agnostic” on whether security features should be communicated to consumers through labeling or some other tool, “but consumers need a way to determine which device is more secure.”
The goal, he said, is to “finish the year with a workable set of requirements — not regulations — and then in 2020, we can focus on how to distinguish products for consumers.”
Lawmakers are stirring on the issue, with plans in place for the coming year.
Sens. Cory Gardner, R-Colo., and Mark Warner, D-Va., and Rep. Robin Kelly, D-Ill., will reintroduce legislation setting security standards for IoT devices bought by government. The House last fall passed a modest measure calling for a study of the security of internet-connected devices throughout the economy, the “SMART IoT Act.”
Rep. Kelly said in a statement: “As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure. Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices. It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”
Rep. Frank Pallone, D-N.J., who will take over as chairman of the House Energy and Commerce Committee, supported the SMART IoT Act and has shown an interest in the issue.
Jeff Greene, of the security firm Symantec, applauded these moves: “unsecured IoT devices are an enormous — and growing — risk. But it does not have to be that way … We applaud Congresswoman Kelly for taking action to address this threat and to improve the Federal government’s IoT security. We look forward to working with her as this legislation moves forward.”
Those bills provide a starting point for legislative action, but efforts in the executive branch could end up pushing Congress to go further.
Botnets — hijacked computers and devices that are linked together by hackers to launch massive cyberattacks — are seen as a particular threat to the IoT and are targeted specifically under President Trump’s cybersecurity executive order.
Under the order, the departments of Commerce and Homeland Security are developing an anti-botnet plan, which could yield legislative recommendations by the end of the year.
The Chamber’s Eggers even suggested tying IoT security in with another business-community legislative priority: passage of the so-called Cyber SAFETY Act specifying liability protections for cybersecurity products and services.
“The Cyber SAFETY Act says products that get certified get liability protection. That’s a pretty good model and we could use that for IoT,” Eggers said. “Identify the stronger devices and give those companies liability protection.”
Kudelski’s Howard offered similar thoughts, saying that amid IoT threats, “cyber insurance will start to resonate more and more. Industrial companies that can gain visibility into all their cyber assets, as well as monitor and mitigate risk, will have better options for insuring the heart of their operations. To do so, they will have to adhere to security best practices and adapt to the evolving threat landscape.”
