The U.S. government is a larger customer of IoT products than you may realize. Veterans Affairs, for example, buys connected IV pumps for its hospitals, while the Environmental Protection Agency buys water sensors to measure pollution.
To protect all of those devices’ potentially enticing data from hacks, the U.S. passed a well-designed cybersecurity law last December. The IoT Cybersecurity Improvement Act of 2020 has given the nation an excellent framework that will influence IoT security across the world.
Most IoT companies will not have the resources to develop separate lines of products—one line that conforms to the U.S. government’s security requirements and one that does not. It’s also hard to imagine why any other customers would settle for less-secure options, especially when many of the security requirements demanded by the law are broadly useful across all industries. So, while the law dictates only what IoT devices the U.S. government can buy, we’ll see a ripple effect as companies use the same secure devices for both government and nongovernment IoT deployments.
So, what’s to like about the law? Two things, as it turns out.
First, the law isn’t focused on securing individual devices by dictating password requirements or encryption standards, both of which will need to evolve. Instead, it relies on the National Institute of Standards and Technology (NIST) to set many of the requirements that government agencies have to follow when purchasing connected devices. These policies see overall security as the sum of several parts, requiring specific prescriptions for device, cloud, and communication security.
NIST’s initial rules include today’s best practices, such as having an over-the-air device update program, unique IDs for each device so it can be identified on a network, and a way for authorized users to change features related to access and security. The recommendations also include logging the actions taken by an IoT device or its related app, and clearly communicating the specifics of a device’s security to the user.
The other reason to like the law is that it remains adaptive and flexible by requiring NIST to assess the best practices for cybersecurity for connected devices every five years. Hacks, by their nature, are also adaptive and flexible, and so preventing them needs equally adaptable legislation. That means buying IoT devices that can receive over-the-air software updates, for example, to patch up any newly discovered exploits.
Unfortunately, the law isn’t airtight. While it forbids government agencies from buying devices that don’t comply with the security requirements, it does leave open a waiver process for devices needed for national security or research, as well as any devices secured using an effective alternative method.
I’m a little worried about the potential for government agencies to abuse the waiver process. As a nation, the United States tends to lump a lot of everyday activities under national security, meaning it’s not hard for a government agency to make the case that they don’t need to conform to NIST’s requirements.
Also potentially worrisome is the law’s loophole that exempts devices that are secured using “alternative and effective methods.” The law doesn’t clarify what agency evaluates the efficacy of these alternative methods or how that evaluation is made.
Despite these loopholes, I have to assume that manufacturers are waking up to the costs of having insecure devices in the field, and as such will embrace a set of rules that explain how to secure and update those devices. And besides, most IoT companies aren’t going to risk losing the U.S. government as a potential customer by not conforming to NIST’s standards. That could cost them even more.