Legislation to set minimum cybersecurity requirements for internet-connected devices used by the federal government could end up becoming a standard for the private sector.
Worries about a lack of security for these technologies, known collectively as the Internet of Things, persist because many weren’t built to allow the same patching and maintenance rigor as other systems connected to the internet. That leaves an opening for hackers. For instance, a network of hijacked computers, including IoT devices, launched an attack on a web services firm in 2016, disrupting internet access to
and other popular sites on the U.S. East Coast.
Private-sector companies are likely to adopt cybersecurity legislation recently passed by the House of Representatives as a standard given the sheer range of technologies the bill covers, said
, chief technology officer at the IOXT Alliance, an association of IoT manufacturers, retailers and network operators. Many devices that government agencies might use would serve the same function for consumers.
Internet-connected thermostats, lighting controls and cameras, for example, will work the same regardless of whether they are in government offices or corporate headquarters. This means companies will build common platforms adhering to a universal standard rather than building different versions for different customers, he said.
The legislation is focused on government purposes but “will be a great road sign for the rest of the broader market,” Mr. Ree said.
Internet of Things technology includes a range of devices, from simple environmental sensors that measure pollution levels to advanced personal assistants run on artificial intelligence.
The IoT Cybersecurity Improvement Act, which passed the House on Sept. 14, sets several security requirements for devices used by government agencies. It directs the National Institute of Standards and Technology to publish guidelines on IoT security for the federal government and update these at least every five years. Contractors supplying devices to the government must allow security researchers to test them for flaws and report those findings.
The bill now goes to the Senate, where time is the primary obstacle to passing the bipartisan legislation, said
, of counsel at Morrison & Foerster LLP.
The push to fill a Supreme Court vacancy and debate on coronavirus relief measures occupy the current congressional session, which is due to end in January.
With the cybersecurity legislation, the government in effect is using the power of its procurement budget to force manufacturers to improve their protections, Mr. Iftimie said
“I think [manufacturers] recognize that regulation is inevitable in this space, given the pervasive nature of IoT devices, and they would rather see one single national standard,” he said.
IoT manufacturers and suppliers are backing the bill in part because they want to avoid a patchwork of laws in the 50 states, similar to what happened with privacy legislation. California and Oregon have already passed their own IoT security bills, while a number of other states have considered similar measures, which differ in their level of detail. Oregon’s bill, for instance, defines what it considers to be “reasonable security measures” to the level of outlining acceptable password-generation methods, while California’s language is looser and doesn’t spell out penalties for noncompliance.
The federal proposal itself has changed from its introduction in March 2019, after attracting wide interest from trade associations, technology companies and telecommunication providers. Lobbyists met with government officials about the bill dozens of times, according to regulatory filings collated by the Center for Responsive Politics.
The language in the bill is now less granular and direct than the original draft, said Mr. Ree of the IOXT Alliance, which includes
“From an industry side, we really did not want to have an act of Congress to change a password. That literally was a path they were going down,” he said.
Write to James Rundle at [email protected]