Congress tries again with IoT security

Last week, four Senators and two members of the House introduced a new bill aimed at protecting connected devices that are used by the U.S. government. It is called the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 and roughly the fourth or fifth attempt to get something through Congress related to the lack of secure connected devices.

But this bill is very different than previous efforts, which took a bare minimum approach to legislation. The nine-page bill essentially asks Congress to order the National Institute of Standards and Technology (NIST) to prepare a list of good security practices and then give that list to the Office of Management and Budget (OMB) so it can tell agencies what rules they need to follow.

Unlike the first attempt in 2017, this bill is far less prescriptive when it comes to specifics. In the 2017 version, we had to trudge through definitions of firmware and hardware, read about hard-coded passwords, and dig through several other elements. It went a bit too far in detailing how government agencies should decide if a connected device they wanted to buy was secure.

Because security is a moving goalpost, this bill does away with the hard-coded dictates to let NIST build a list and then update that list every five years. I wish the list was updated every year, but the government is a slow-moving beast. This is a good start.

But this bill has its issues. For security experts, two in particular jump out. The first is the bill doesn’t specifically focus on the procurement of connected devices, as the 2017 version did. In that earlier version, it was clear that if the government wanted to buy a connected product it had to follow the list of rules set forth in the bill.

The new bill is vague. It says that NIST “shall develop recommendations for the Federal Government on the appropriate use and management by the Federal Government of Internet of Things devices owned or controlled by the Federal Government…” (emphasis mine).

There’s nothing explicit about procurement, which is akin to saying that the government must use an item that no one currently makes. In the previous version, when it did focus on the procurement process, the bill said governments had to buy connected devices, and would by extension push those interested in selling to the government to make secure devices. Without knowing how NIST and the OBM formulate their guidelines, it’s not crazy to think that if a secure option isn’t available, the government agency might get a pass.

Beu Woods, a cyber safety innovation fellow with the Atlantic Council and a co-founder of a volunteer security group called I am the Cavalry, says he’s been assured that the lack of focus on procurement isn’t a big deal. He’s still worried about it, though. He’s also worried that the two-stage process with NIST and the OBM will mean that security recommendations can be watered down.

One way to help prevent them from being watered down would be to include a list of goals that Congress has as part of the legislation. Woods pointed to a House bill submitted in December by Rep. Robin Kelly (D-Ill.), which began with a list of findings from Congress detailing some of the problems associated with poor IoT security. The bill went on to state that Congress believes IoT device security should be the collective responsibility of the president, the heads of various government agencies, and the OMB, and that the benefits of any digital transformation “depend on proactively addressing cybersecurity throughout the Government’s acquisition and operation of IoT devices.”

That relatively bold mandate is missing from the current IoT Cybersecurity Improvement Act. It’s no wonder Woods would like to see it in there. The Kelly bill also has a section governing security at third-party contractors that’s worth including in the NIST recommendations, as well as a remediation plan for devices that were purchased before any laws went into effect.

It’s possible that the NIST guidelines will address these issues under the 2019 bill, but there’s no guarantee that will happen. If the current bill is passed I recommend taking a look at the Kelly bill as well as earlier iterations of it to get a sense of the things that NIST should cover. While NIST is a technologically competent agency that conducts regular public inquiries, influencing the process happens in an arena where most people won’t see it.

When discussing the security of devices, having a more open process is good. A bill that encourages more openness, and provides a few more guideposts as to what Congress wants to accomplish, would be even better.