New US Congress Bill Targets Minimum IoT Security Guidelines

Since the Mirai malware attacks in 2016, improving IoT security has been a top point of interest. They served as a major wake-up call for many organizations that had taken cybersecurity lightly until then. IoT devices are highly vulnerable, which is why they are hacked so often. Seems every day now we hear of strangers spying on families through baby monitors or messing with their thermostats.

IoT devices are also popular with large companies and organizations, including government agencies. An IoT security law that passed in 2018 demands manufacturers build security into their devices, but two senators have been working on a new bill to regulate smart devices at the federal level by ensuring a national standard.

The IoT Cybersecurity Improvement Act of 2019 now awaits a Senate vote because, in spite of their economic benefits, IoT devices are unreliable. The initiative in Congress to tighten security for connected devices and push for strict security laws is admirable, but it’s a tough task to actually ensure they are all patched, 100% secure and ready to go. Coming up with the actual standards is on NIST’s plate, the National Institute of Standards and Technology.

There is a catch though. The bill focuses on IoT devices used in government agencies that would completely malfunction, leading to serious damage and national security threats, if hit by DDoS attacks through IoT botnets, for example. To prevent this type of security incident, Congress believes a nation-wide bare minimum standard for manufacturers that want to sell their technology to the government should do the trick.

The plan is for the bill to drive change across all sectors to prevent the purchase in general of devices that can be easily hacked. All IoT devices purchased by government agencies will simply have to comply with the new guidelines and manufacturers will require a vulnerability disclosure policy.

“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Mark Warner (D-Va.), of the two voices behind the initiative.