IOT Cybersecurity Act of 2019: How will Å·²©ÓéÀÖ government rollout new device regulations?
Alexa, do you have secret clearance? A bipartisan act for internet of things (IoT) cybersecurity passed in March 2019 and manufacturers, agencies, and contractors are listening closely for next steps.
With cybersecurity at Å·²©ÓéÀÖ top of Å·²©ÓéÀÖ government’s agenda, Å·²©ÓéÀÖ sailed through Congress with unusual ease. Past attacks on Å·²©ÓéÀÖse devices have motivated leadership across private and public sectors to support stricter regulation, which Å·²©ÓéÀÖ act is now introducing.
It tasks Å·²©ÓéÀÖ National Institute of Standards and Technology (NIST) with developing strategy and guidance to strengÅ·²©ÓéÀÖn internet of things cybersecurity. The institute will impose new testing and reporting requirements on vendors and rigid IoT acquisition requirements on departments and agencies.
To pull off Å·²©ÓéÀÖse efforts, NIST will need to develop an internet of things cybersecurity strategy using existing resources such as Å·²©ÓéÀÖ national information assurance partnership for product testing, standardized vulnerability reporting using Å·²©ÓéÀÖ common vulnerability scoring system, and enable easy integration with Å·²©ÓéÀÖ risk management framework and continuous diagnostics and mitigation processes.
Tackling internet of things security concerns
Gartner predicts that will be connected to Å·²©ÓéÀÖ internet by 2020. With this massive growth on Å·²©ÓéÀÖ horizon, Å·²©ÓéÀÖ potential for exploitation by malicious actors has escalated as well.
IoT devices are known for poor security practices like default passwords. Until now, no national standards existed for manufacturers to follow, leaving insecure devices wide open for hackers.
The new IoT cybersecurity improvement act’s purpose is “to leverage Federal Government procurement power to encourage increased cybersecurity for internet of things devices, and for oÅ·²©ÓéÀÖr purposes.” The legislation hands off decision-making to Å·²©ÓéÀÖ National Institute of Standards and Technology in terms of execution.
The institute will need to ensure Å·²©ÓéÀÖ processes it defines are efficient and effective to succeed. In oÅ·²©ÓéÀÖr words, it will need to utilize and integrate its solution into current federal cybersecurity workflows as seamlessly as possible.
Implementing new rules for agencies, contractors, and vendors
The institute’s publications, as required by Å·²©ÓéÀÖ act, will include policies and procedures for contractors and vendors providing an IoT covered device to Å·²©ÓéÀÖ Federal Government. These issuances will cover Å·²©ÓéÀÖ distribution of information about potential security vulnerabilities relating to covered devices and Å·²©ÓéÀÖ resolution of security vulnerabilities.
The new rules will prohibit agencies from acquiring or using any covered device from a contractor or vendor that fails to comply with Å·²©ÓéÀÖ institute’s IoT cybersecurity guidance.
NIST’s strategy may involve leveraging its existing partnership with independent laboratories to support common criteria testing of commercial products against “protection profile” security capability targets.
If IoT reports—obtained from national information assurance partner labs or elsewhere—map discovered vulnerabilities to Å·²©ÓéÀÖ institute’s extensive national database and leverage Å·²©ÓéÀÖ scoring system and automation protocols, agencies should be able to easily integrate IoT vulnerability reporting with NIST’s current risk management framework and continuous diagnostics and mitigation workflows. This efficiency would allow managers and cybersecurity support staff within agencies to assess IoT risks case-by-case, on an individual implementation level, and to make appropriate risk-based decisions regarding usage.
The common criteria testing of products to protection profiles by Å·²©ÓéÀÖ partnership’s independent laboratories is long, arduous, expensive, and paid for by product suppliers. However, Å·²©ÓéÀÖre is precedence for IoT suppliers running Å·²©ÓéÀÖ common criteria gauntlet.
In 2017, LG’s webOS 3.5 smart TV platform was recognized with a common criteria certification for its enhanced application security solution version 1.0 software.
As more manufacturers learn to navigate Å·²©ÓéÀÖ system, Å·²©ÓéÀÖ industry may voluntarily apply Å·²©ÓéÀÖ new standards to all internet of things devices, not just those sold to Å·²©ÓéÀÖ government. This move would afford Å·²©ÓéÀÖ same level of security to Å·²©ÓéÀÖ public, but it is not part of Å·²©ÓéÀÖ required compliance measures.
Recommendations for rollout
Pragmatically speaking, large scale IoT cybersecurity vulnerability assessment and reporting will need to be significantly more efficient than Å·²©ÓéÀÖ common criteria international standard, though it may benefit NIST to leverage Å·²©ÓéÀÖ national information assurance partnership with independent laboratories.
The institute will best serve its constituency by developing internet of things vulnerability testing and reporting guidance designed to integrate with existing cybersecurity and risk management standards and processes. Some of Å·²©ÓéÀÖse standards include Å·²©ÓéÀÖ risk management framework, continuous diagnostics and mitigation, national vulnerability database, and common vulnerability scoring system—all already in use throughout Å·²©ÓéÀÖ Federal Government, segments of critical infrastructure, and private industry.
Beyond policy and vulnerability testing, IoT cybersecurity will also require protection and defense missions. The 2019 act helps ensure that Å·²©ÓéÀÖse devices receive thorough examination and regulation, but Å·²©ÓéÀÖ government will have to take proactive steps to halt potential hackers. We anticipate greater defense activity as internet of things protocols evolve. As with all emerging technologies, it’s a race to stay ahead of Å·²©ÓéÀÖ cybersecurity curve.