The new law is called The Internet of Things Cybersecurity Improvement Act and it is a start. Just a start.
While no one can agree how many billions of IoT devices are going to installed when, what we do know is that it is going to be tens of billions of devices and growing dramatically every year.
We also know that IoT devices are being hacked regularly including the hacking of the St. Jude implantable cardiac device and the Mirai botnet.
The bill was passed by the House a couple of months ago and just passed UNANIMOUSLY by the Senate and sent to the White House for signature who is expected to sign it.
So what does it do?
NIST is Required to Publish IoT Security Standards within 90 Days
This is kind of a freebee since NIST has been working on this for a couple of years, but still it is not released. Here is a link to the draft version.
NIST is Required to Publish Federal Government Standards for Use and Management Within 90 Days
This is a big one. If the standard requires features in order for a company to be allowed to try and sell to the federal government (after all, who would want to be able to legally sell to the feds?), they are not likely to make two models – one for the feds and one for everyone else, so everyone benefits.
Six Months After NIST Publishes the Standard OMB will Review the Standards (and Modify any OMB Rules Needed to Comply)
This is a bureaucratic thing to make sure that government agencies don’t ignore the law, so therefore this, too, is important.
NIST Must Develop Vulnerability Reporting Guidelines Within 180 Days
NIST will work with industry and academia to create guidelines to report, coordinate, publish and receive information about security vulnerabilities in IoT devices. This is important to standardize so that security researchers know the rules and what they can and cannot do.
The Federal Comptroller will Report to the House and Senate Bi-Annually About any Waivers Granted
This just provides a little daylight to any government shenanigans. The reports will be unclassified. The Comptroller will brief these committees after 1 year and then every two years about the broader IoT effort.
This bill is one thing that has come out of the Cyberspace Solarium Commission that issued its report earlier this year. Hopefully, more will come of it that report.
While it seems unlikely that the current occupant of the White House cares much about Internet security, it is already apparent that the next occupant will care significantly more. If Congress is nudged by the future White House to pass more legislation, that will certainly increase the odds that they will, which is, hopefully, good for security overall. Credit: CSO Online