Lawmakers in the US Senate have introduced a bill that would set baseline security standards for government-purchased connected devices, from computers and routers to security cameras and other IoT devices. The IoT Cybersecurity Improvement Act of 2017 comes in direct response to the constant stream of cyber-attacks amid a burgeoning market of connected devices.
The bill seeks to use the government’s buying power to set a basic level of security for IoT devices bought by the government. The bill would require vendors of connected devices to make sure their products can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that they ensure their devices are free from known vulnerabilities when sold.
A Bipartisan Effort
Given that the bill is bipartisan – introduced by two Democrat senators and two Republican senators – there is a decent chance it will survive congress. The fact that President Trump signed an executive order on cybersecurity in May, indicates he may be in favor of taking this action on cybersecurity. Then again, he’s been open about the fact that he's not big on adding regulations to business.
Earlier this year, we heard musings about the Cyber Shield Act of 2017. It was introduced in the house and hearings were held in April. The idea was for manufacturers to display Cyber Shield labels on their connected devices to indicate the product meets government standards for cybersecurity. The act has not yet passed either house of Congress.
IoT Producers May Comply As Good Business Practice
Many IoT players are simply not worried about the government market, especially if their products are aimed at consumers or industrial customers. “The big question is whether IoT producers will be considerate of customers that might be re-selling their devices to the government. Even those producing consumer devices such as smart metering will likely have to deal with this. That includes state utilities and power companies,” Jake Sprouse, director of software engineering at the technology product design firm Synapse, told Design News . “Whether you’re affected will depend on who you are and what industries you play in. If you have government involvement, they’re going to be concerned about mitigating cybersecurity risk up front.”
Device makers will have to consider to requirements of this law even if the product is not affected by the legislation. “This new law will probably cause a broad swath of devices makers to take security more seriously. Even if you’re a company making a connected toaster, you need to take care of these issues to stop bad things from happening downstream,” said Sprouse. “The important thing is to protect the brand by making sure you customers will not be affected by security.”
Security Affects Time-to-Market and Usability
The push to get new products out the door has sidelined cybersecurity somewhat, often making it an afterthought attached to an already-designed device. “This law would move the design trade-off decisions to an earlier point in the design process,” said Sprouse. “Before, device manufacturers put off the decisions or swept them under the rug. Now,