IDG Contributor Network: Can U.S. lawmakers fix IoT security for good?
While the Internet of Things (IoT) has carved out a comfortable place for itself in today’s society and markets, many still fear that the interconnectivity-driven phenomenon is extraordinarily vulnerable to outside attacks. A number of U.S. Senators believe they may have a solution to the problem, and have put forward the Internet of Things Cybersecurity Improvement Act of 2017.
What are the exact details of the text of the bill, and how does it intend to secure one of the most diverse and unregulated assets of the economy? What potential pitfalls stand in the bills way, and how much of a chance does it have of becoming law? An analysis of the IoT Act reveals that it’s a healthy step in the right direction, but it may not be enough.
Pathing IoT vulnerabilities
As the strength and value of the IoT is driven by the proliferation of networked devices, it stands to reason that more and more digitally-connected gadgets could only be a good thing for it. Shoddy, non-patchable hardware has proven to be an incredible vulnerability for the IoT, however, and could cripple it in the future. One massive 2016 cyberattack exploited connected IoT devices for nefarious purposes, for instance.
The IoT Cybersecurity Improvement Act hopes to remedy this problem by reevaluating government procurement standards. Currently, many of the devices bought by government agencies come equipped with pre-installed passwords which can’t be changed easily, and sometimes can’t be changed at all. This serious security threat will be mitigated by the bill, which aims to enforce regulations which ensure all devices sold to the federal government are patchable.
The bill also prohibits vendors from selling devices which possess known vulnerabilities, and orders the Department of Homeland Security to work with industry officials to formulate clearer guidelines. These are all steps in the right direction, but may prove tricky to enforce, as the bill’s language regarding what constitutes an “internet-connected device” can be interpreted as being overly broad.
Uncertainty like that in a bill can be costly in the long run, driving up cost as courts must litigate over the tiny details in the bill’s language. Nonetheless, the frightening levels of vulnerability in the IoT, which is largely made up of un-patchable, relatively poorly-defended gadgets, necessitates a stricter approach to cybersecurity, which this bill attempts to provide.
Relying on the federal government
The success of the IoT Cybersecurity Improvement Act will largely hinge upon whether the federal government’s spending power is enough to solve the IoT’s security dilemma. While the bill possesses some language that fosters increased government cooperation with private industry leaders, it may not be enough to persuade the broader market to take the IoT’s cybersecurity more seriously.
IoT spending is already set to surpass $800 billion in 2017 alone, and could even rocket up to an astonishing $1.4 trillion by 2021. As the market for devices continues to grow, and global incomes rise, the IoT could be endangered if companies attempt to meet the staggering demand for IoT gadgets by lowering their security standards to optimize production.
A factsheet of the bill produced by one of its sponsoring senators even recognizes how challenging it may be for companies to meet some of its requirements, and notes that government employees could still buy non-compliant devices if they first receive permission from the Office of Management and Budget.
Regardless of what shortcomings the bill may possess, its incentivizing of manufacturers to produce better-secured devices will be invaluable in the years to come as the IoT continues to grow at a remarkable pace. Some parts of the bill’s language will be incredibly challenging to follow through on, such as its requirement that agencies inventory any and all IoT devices they use. To expect the government to accurately keep track of all internet-connected gadgets it uses could prove to be a pipe dream, but at very least such measures grant IoT security some of the respect and attention it desperately needs.
Some of the details of the bill could be misinterpreted and end up mitigating private researcher’s abilities to solve IoT security issues, but this too is unlikely, and could be solved with reasonable amendments and wise enforcement policies. Uncle Sam’s late arrival to the IoT cybersecurity scene could end up haunting the market for some time as hackers probe for opportunities, but should ultimately be welcomed as a new, more secure chapter in the IoT’s story.
While it would be a serious stretch to say that U.S. lawmakers have permanently secured the internet, the IoT Cybersecurity Act of 2017 takes aim at the most egregious vulnerabilities that plague the market today. The only question that remains is whether the bill can gather enough support to pass, and whether it will inspire the private sector to crackdown on future breaches of internet security.
This article is published as part of the IDG Contributor Network. Want to Join?