The IoT Bill

With the increased connectivity and communication between smart devices on the internet comes a vital need for guidelines and standards surrounding the issue of personal data. On November 17, 2020, the Federal government officially recognized this need by unanimously passing Bill H.R. 1668, the Internet of Things (IoT) Cybersecurity Improvement Act (the IoT Bill), which now awaits the President’s signature. The bill had already gone through a series of iterations and revisions before meeting acceptability in both houses of Congress. 

This bill charges the National Institute of Standards and Technology (NIST) with the creation of best-practice cybersecurity guidelines and standards for the federal government and federally-procured devices. The IoT Bill doesn’t impact the private sector but NIST guidelines could eventually become the de facto standard.  

In the Bill’s terms, IoT devices are defined as those that are independent, whole devices functioning on their own, communicating with the outside world through at least one sensor and a network interface. For the purposes of H.R. 1668, traditional devices such as laptops and smartphones, as well as national security systems are not considered IoT devices. 

According to the Bill, in order to manage cybersecurity risks, the NIST Director will publish guidelines for federal agencies’ secure use and management of IoT devices, including standards for discovering, managing and patching security vulnerabilities. In order to accomplish this efficiently, the Director will look to standards developed by the private sector as well as public-private partnerships. The IoT Bill requires cooperation across multiple agencies, including the NIST and the Office of Management and Budget (OMB), and one of its major provisions requires the sharing, publishing and resolution of known security vulnerabilities. These provisions also extend to contractors and subcontractors working with the federal government, and prevent agency heads from purchasing or using non-compliant IoT devices. Waivers will be issued for research or national security purposes, and periodic checks along with Congressional briefings will be held to ensure the continued scrutiny and efficacy of standards and guidelines.

Along with guidelines on the usage of IoT devices, from a design standpoint, development of the devices themselves has to be undertaken with security issues at the forefront throughout the entire design process, something that hasn’t always taken place in the past. The public is becoming increasingly comfortable with the proliferation of IoT devices, often ignoring security and privacy issues inherent in their usage. Home Wi-Fi networks can go down, rendering smart devices, like thermostats and door locks, useless, and IoT devices servicing the healthcare industry can actually cause dangerous, even life-threatening conditions if compromised. As ever more devices in people’s lives become connected to the internet, they are subject to the same weaknesses and vulnerabilities of the internet itself. This reveals the necessity of building security into the design from the ground up.

The IoT has experienced explosive growth in the last few years; according to Wired Magazine, by 2025 the world will have over 75 billion IoT devices. Every person interacting with an IoT device generates vulnerable personal data and creates access through which hackers can infiltrate; a Federal Trade Commission (FTC) study found that over 150 million data points can be generated daily by just a small percentage of the population. 

Recently, privacy and safety issues have since come to light, exposing grave security shortfalls and vulnerabilities. Examples of IoT attacks and issues include the famous 2016 attack against Target in which hackers gained access to 40 million Target customers’ credit card information by emailing a malware link to Target’s HVAC vendor. In 2019, researchers found several flaws in Amazon’s Ring including credential compromise and the sharing of information with police departments. Also in 2019, hackers were able to take down a power grid in the Ukraine, proving that governments around the world, including ours, need to implement tight, coordinated and effective security measures to prevent cyberattacks which would damage or disrupt critical infrastructure. 

 Bills such as the IoT Bill are a much-needed first step in building a strong foundation for the development of secure and private IoT networks which are as impervious to attack as technologically possible. Many of these devices not only provide convenience, but can also, depending on use, actually save lives, but their benefit is only as good as the degree of built-in security and privacy they offer.

 To read the text of H.R. 1668, visit https://www.govtrack.us/congress/bills/116/hr1668.