The US Congress has reintroduced a bill that seeks to manage the cybersecurity risks of the Internet of Things (IoT).
The Internet of Things Cybersecurity Improvement Act of 2019, sponsored by Senator Mark R. Warner, directs the National Institute of Standards and Technology (NIST) to develop appropriate guidelines on the use and management of IoT devices in federal agencies.
The bill also calls for the crafting of security requirements for managing risks associated with connected devices, which it defines as “any gadget capable of connecting to and is in regular connection with the Internet; and has computer processing capabilities that can collect, send, or receive data.”
The concern over the security of such devices is growing. With the interplay of fifth generation cellular communication (5G) and artificial intelligence (AI), IoT is expected to experience tremendous growth this year and the next five years.
Research firm Gartner alone forecasts 14.2 billion connected things to be in use in 2019, rising to 25 billion by 2025.
While there is no law yet that governs the use and management of IoT devices today in the United States, the state of California passed the first IoT cybersecurity law in September 2018 requiring connected devices sold in the state to have built-in security features effective January 1, 2020.
The legislation stems from the growing security implications of connecting objects on a massive scale.
In its Threat Landscape Report for Q4 2018, security firm Fortinet confirms that the convergence of physical things and cybersecurity is creating an expanded attack surface.
Half of the top 12 global exploits target IoT devices and four of the top 12 were related to IP-enabled cameras, the report emphasized.
The IoT Cybersecurity Improvement Act of 2019 was first introduced in August 2017 by US Senators Warner, Cory Gardner, Ron Wyden, and Steve Daines. Back then, the proposed law already acknowledged that “while IoT devices and the data they transmit present enormous benefits to consumers, the relative insecurity of many devices presents enormous challenges.”
The legislation proposes to establish minimum security requirements for federal procurement of connected devices as developing third-party device certification standards for IoT.
In most regions of the world, the move to create new standards for IoT is gaining momentum. In November 2018, the International Organization for Standardization (ISO) released the ISO/IEC 30141, which provides an internationally standardized IoT Reference Architecture.
In February this year, the European Telecommunications Standards Institute (ETSI) also released the new specification, TS 103645, seeking to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.