The Internet of Things Cybersecurity Improvement Act of 2019 is sponsored by Senator Mark R. Warner and is designed to make sure the government buys secure devices.
Currently, the country lacks federal IoT security standards. With the increase in IoT devices — and a definite issue with shoddy security — that’s a problem.
The US Congress hopes to require that change by reintroducing the Internet of Things Cybersecurity Improvement Act of 2019. First introduced in 2017 and sponsored by Sen. Mark Warner (D-Virginia), the bill’s main provision includes ensuring that the federal government buys secure IoT devices.
“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” Sen. Warner says.
Standardizing Security of IoT Devices
Lt. General Robert Ashley, Director
Currently, manufacturers decide on their devices’ security levels. Many implement minimal — if any — protections against cyber attacks and other security vulnerabilities.
Members of the US Senate and US House of Representatives have reintroduced the bill, hoping to standardize IoT technology. The lawmakers hope this bill will reduce those risks by imposing security standards on any IoT devices the federal government uses.
“Clearly there is an emerging threat created by having all of this stuff connected to the internet, which makes it vulnerable to cyberattacks [and] which can be directed to the device as a target or employ the device to attack others,” Steve Bunnell, Data Security and Privacy Practice Chair of law firm O’Melveny. “A lot of the devices we’re talking about have no security. They weren’t built with security in mind, and there really isn’t any way to patch them.”
Lawmakers hope that requiring improved security standards for federal government will lead to higher standards for the whole IoT market. The bill requires the National Institute of Standards and Technology to recommend security standards for the federal government and requires a standards review every five years. Vendors who sell to the government must also have a vulnerability disclosure policy in place.