IoT’s big security problem finally reaches White House

As IoT begins to play a vital role in our cities, services, and industry, there’s an indication that the US government may be ready to take the snowballing cybersecurity threat seriously.
25 November 2020
  • The proliferation of connected devices with no standardized cybersecurity guidelines has long been a concern
  • A new bill has been push forward that will instill security guidelines for use of IoT devices by federal agencies
  • It’s thought that this would pressure private companies to adhere to the same guidelines

The concept of connected devices and sensors — otherwise known as the Internet of Things (IoT) — is an exciting one that offers new levels of intelligence and control over the objects around us, in our homes, cities, and workplaces.

IoT is already empowering applications like predictive maintenance in factories, reducing downtime by circumventing failures, and ensuring that machinery is operating at peak performance.

In our own homes, a $20 web-connected security camera can send push notifications to our smartphones every time it detects motion. All this among a lot more is now possible through a mass of interconnected tech we call IoT.

For all of its potential, though, IoT has long been attached to associations with poor cybersecurity. Every connected device we add to a network is essentially a gateway ready to be compromised. In the consumer domain especially, demand for IoT products presents such a lucrative market that the world is now awash with sub-standard devices, leaving personal networks vulnerable — a bigger problem than ever given the widespread shift to remote work.

There are now 7 billion internet-connected devices in the world today, according to IoT Analytics, but the number is set to continue exploding as internet consumption rises and new gadgets and machinery hit the market.

As IoT begins to play a vital role in the digitizations of our cities, services, and industry — from schools to hospitals to factories — there’s an indication that the US government may be ready to take the snowballing cybersecurity threat seriously. 

Last week, the Senate passed a bill to secure IoT devices purchased by the federal government, pushing forward legislation that had been stalled since 2017.  

At present, the Internet of Things Cybersecurity Improvement Act targets agency use of IoT devices, but it will likely push the broader IoT market towards better cybersecurity standards, according to Senators Mark Warner and Cory Gardner who have been backing the legislation throughout. 

“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” said Warner (D.Va.) said in a statement following the vote. 

“I urge the president to sign this bill into law without delay.”

Gardner added that “experts expect tens of billions of devices” to be operating on networks in the coming years.

“We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks,” Gardner said.

If the president signs the bill into law, the National Institute of Standards and Technology (NIST) will be required to issue recommendations for secure development, identity management, patching, and configuration for IoT devices. 

According to Forbes, “The bill was written in response to major distributed denial of service (DDoS) attacks, including one in 2016 in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, orchestrating their use in overwhelming and disrupting commercial web services. The threat hit closer to home for the federal government in 2017 when it was discovered that Chinese-made internet-connected security cameras were using previously undetected communications backdoors to “call home” to their manufacturers, presenting a risk that what was visible to a camera’s lens was also visible to our geopolitical rivals.” 

While the bill only addresses the use of IoT within federal agencies, it’s expected to raise the bar for security among vendors in the private sector. Some sellers will want to target both markets, while lawsuits for security lapses can use the NIST standards as a baseline for corporate negligence.