Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Off-Prem

Edge + IoT

Hard to believe but Congress just approved an IoT security law and it doesn't totally suck

Secure coding, identity management, patching, configuration controls, what madness is this?

Kieren McCarthy Wed 18 Nov 2020  //  20:51 UTC

Every now and again the US Congress manages to do its job and yesterday was one of those days: the Senate passed a new IoT cybersecurity piece of legislation that the House also approved, and it will now move to the President’s desk.

As we noted back in March when the IoT Cybersecurity Improvement Act was introduced, the law bill is actually pretty good: it asks America's National Institute of Standards and Technology (NIST) to come up with guidelines for Internet-of-Things devices and would require any federal agency to only buy products from companies that met the new rules.

It gives a minimum list of considerations to be covered: secure code, identity management, patching and configuration management. It also requires the General Services Administration – the arm of the federal government that sources products and comms for federal agencies – to come up with guidelines that would require each agency to report and publish details of security vulnerabilities, and how they resolved them, and coordinate with other agencies.

Don't be too shocked, but it looks as though these politicians have actually got their act together on IoT security

READ MORE

Industry has also got behind the effort - Symantec, Mozilla, BSA The Software Alliance (which includes Apple, Microsoft, IBM, Cloudflare, the CTIA and others) - and Congress has managed to keep its fingers out of things it knows nothing about by leaving the production of standards with the experts, using federal procurement to create a de facto industry standard.

It’s not perfect of course. Companies will still be able to produce products that don’t meet the new standards and so there will continue to be insecure products aimed at consumers at lower prices, pretty much guaranteeing that cybersecurity is going to continue to be a major problem for the internet of things. And the law hasn’t taken on the fundamental issue of how and when devices are updated to deal with emerging security holes.

But this new law does mean that for those looking for good, secure products, there will be a baseline standard across the industry.

Good first step

The legislation was passed unanimously by the Senate and is the biggest piece of legislation on this critical issue: the attaching of millions - billions - of devices to the internet; many of which have poor security.

Assuming the president signs it, it will start taking effect next year - the original timeline of NIST recommendations by September was blown through thanks to Congress doing what it does best - arguing itself into stasis.

But its passing is cause for celebration: a federal, nationwide approach is going to be more effective than a series of state laws (both California and Oregon have already passed IoT security bills).

It is not a full solution. As noted above, it doesn’t require companies or anyone outside the federal government to produce or buy products that meet the new standards. So the market will continue to pump out insecure IoT devices; which in turn will create huge opportunities for botnets and DDoS attacks and data theft and so on.

But this is an essential first step to getting secure IoT in place. Who knows, maybe Congress will surprise us all again and set aside resources to push and promote the importance of buying products that do meet the new standards. Well, we can dream. ®
Send us news
20 Comments

How nice that state-of-the-art LLMs reveal their reasoning ... for miscreants to exploit

Blueprints shared for jail-breaking models that expose their chain-of-thought process

US Cyber Command reportedly pauses cyberattacks on Russia

PLUS: Phishing suspects used fishing gear as alibi; Apple's 'Find My' can track PCs and Androids; and more

Qualcomm pledges 8 years of security updates for Android kit using its chips (YMMV)

Starting with Snapdragon 8 Elite and 'droid 15

Microsoft expands Copilot bug bounty targets, adds payouts for even moderate messes

Said bugs 'can have significant implications' – glad to hear that from Redmond

Check out this free automated tool that hunts for exposed AWS secrets in public repos

You can find out if your GitHub codebase is leaking keys ... but so can miscreants

Drug-screening biz DISA took a year to disclose security breach affecting millions

If there's something nasty on your employment record, extortion scum could come calling

Ivanti endpoint manager can become endpoint ravager, thanks to quartet of critical flaws

PoC exploit code shows why this is a patch priority

C++ creator calls for help to defend programming language from 'serious attacks'

Bjarne Stroustrup wants standards body to respond to memory-safety push as Rust monsters lurk at the door

Malware variants that target operational tech systems are very rare – but 2 were found last year

Fuxnet and FrostyGoop were both used in the Russia-Ukraine war

Bybit declares war on North Korea's Lazarus crime-ring to regain $1.5B stolen from wallet

Up to $140M in bounty rewards for return of Ethereum allegedly pilfered by hermit nation

100-plus spies fired after NSA internal chat board used for kinky sex talk

National intel boss slams naughty nattering on work systems as 'egregious violation of trust'

Healthcare outfit that served military personnel settles allegations it faked infosec compliance for $11M

If this makes you feel sick, knowing this happened before ransomware actors started targeting medical info may help