The IoT Cybersecurity Improvement Act would require development of security standards and guidelines for federal IoT devices, but CISOs in the private sector could also benefit
IoT Cybersecurity Improvement Act-Proponents of a proposed federal bill are seeking the development of security standards for all government-purchased Internet-connected devices — a move that could spur improved security for IoT deployments across non-government entities as well.
The IoT Cybersecurity Improvement Act of 2019, co-sponsored by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas), would require the National Institute of Standards and Technology (NIST) to issue guidelines for the secure development, configuration and management of IoT devices. It would also require the federal government to comply with these NIST standards.
Perhaps more significantly, the bill would likely reach beyond the federal government if passed and made into law. Security experts predict that NIST standards would help elevate IoT security throughout private industry and during development of consumer products.
“Our bill establishes baseline cybersecurity standards for government purchased and operated IoT devices,” Rep. Kelly said in an emailed response to questions about the proposed legislation. “Right now, we are focused on securing government IoT devices. I think the most relevant piece to executives would be the ability to use NIST’s Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks as a model for internal standards.”
She added, “Our goal remains securing government IoT devices. If these standards are helpful to the private sector then that’s an additional benefit.”
IoT: Speed to market offsets cybersecurity
Security leaders said there’s a need for improved IoT security: Vendors work fast to bring IoT products to market, while enterprise leaders have moved just as quickly to capitalize on IoT deployments. In both cases, the desire for speed typically trumps security concerns, they said.
Now these security concerns are gaining new attention.
“People have been saying for at least three years that there’s a problem and we need to fix it,” says David Alexander, digital trust expert at PA Consulting.