Legislative activities are starting to make security a legal requirement for consumer IoT designs.
For many IoT development teams, security remains a wish-list item seen as not worth the cost and effort needed for implementation in a consumer product. Consumers don’t seem willing to pay extra for enhanced cyber-security features or to avoid products lacking such features. Legislative activities, however, are starting to make security a legal requirement for consumer IoT designs.
Speaking at IoT World Today’s IoT Security Summit, the program manager for the US National Institute of Standards and Technology (NIST) Katerina Megas pointed out that legislation requiring IoT devices to incorporate security is already on the books in some states, and is being added to federal law as well. In January 2020, Megas noted, both California and Oregon enacted laws that require connected device manufacturers in their states to equip their devices with “reasonable security features.” In addition, several additional states – including Illinois, Massachusetts, New York, and Virginia – have similar legislation pending or under consideration.
Megas also noted that the US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020 in March. The act calls for the creation of “standards and guidelines for the Federal Government on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.” It passed both the House and the Senate and was signed into law on December 4; standards and guidelines must be published within 90 days.
While H.R. 1668 only applies to IoT systems that the US Government uses, it marks the beginning of cybersecurity mandates that will ultimately apply across the US for industrial and consumer systems as well. In 2019, Congress established the Cyberspace Solarium Commission to develop a strategic approach for the US to defend itself in cyberspace. That commission’s first report contained more than 80 recommendations, including more than 50 legislative proposals to help implement the commission’s layered defense strategy. Many of these proposals not only affect the government’s systems, they apply to industrial and consumer systems as well.
Three specific proposals merit acute attention from IoT development teams. One calls for the US to pass an IoT security law mandating “reasonable security measures” in alignment with NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. Another proposal calls for the establishment of a National Cybersecurity Certification and Labeling Authority, which will verify IoT device compliance with the requirements. Further, this proposal calls for that authority to expand its scope beyond federal and industrial IoT systems to encompass personal and consumer electronics.
The third proposal meriting attention has the potential to override any economic objections to implementing IoT security in design that may remain. This proposal calls for the establishment of liability for final goods assemblers. If implemented, manufacturers of IoT devices for sale will be liable for damages should their devices fail to protect against known vulnerabilities. In other words, IoT security will become a “must-have” feature, whether it entices consumers into spending more or not. The risk of not implementing security will simply be too high.
The “reasonable security features” that all this legislation calls for is still, as yet, only vaguely defined. In the California and Oregon laws, according to Megas, the definition of “reasonable” simply calls for measures that are appropriate to the device’s function and the information it handles, and seek to prevent unauthorized access, disclosure, use, modification, or destruction of that information. Specific measures are not defined.
Nor are they likely to be. As Megas pointed out in the presentation, a guiding philosophy for NIST in recommending cybersecurity measures is that one size does not fit all. Specific measures, therefore, are not being encoded into these laws. Instead, the efforts are taking an outcome-based approach. The laws that are coming that will require IoT designs to implement cybersecurity will not specify how this is to be done. That determination will still lie with the development teams. But the need for IoT security, and the functionality of its implementation, is on track to evolve from good sense to legal requirement.
This article was originally published on EDN.
Rich Quinnell is a retired engineer and writer, and former Editor-in-Chief at EDN.