The Federal Government Wants IoT Security to Improve
The Internet of Things Cybersecurity Improvement Act of 2017 is proposed legislation intending to require basic best-practices for cybersecurity when the government is looking to purchase products. It imposes certain design requirements and capabilities to enhance overall security.
It includes nontrivial vendor constraints things like:
- Vendors cannot release products with known vulnerabilities.
- Systems must be architected so they can be patched in the future when new vulnerabilities are discovered.
- Designs are prohibited from embedding fixed passwords that cannot be reset or changed.
Sadly, these are basic, yet not being consistently followed by the Internet-of-Thing (IoT) manufacturing industry. It saddens me that we must resort to legislation to enforce common sense cybersecurity practices. In my opinion, the technology industry has an ethical and business responsibility to provide customers with at least rudimentary capabilities to support security, privacy, and safety.
This legislation, if approved, will put limitations on what systems the U.S. government can consider procuring. Therefore, vendors who want such customers will need to be more responsible when it comes to designing in security to their products.
Recently the U.S. Army has ordered troops to stop using drones made by a major Chinese manufacturer, citing cyber vulnerabilities.
I support good security practices but in general feel legislation is a poor safety-net to make them commonplace. It shouldn’t be necessary. Sadly, I recognize that when the industry ignores the basics, market customers such as governments, may be forced to set their own standards for purchases.
I expect other governments and sectors like finance, healthcare, and critical infrastructure to also incorporate these guidelines in their procurement requirements. If other markets follow suit, it may be a harsh wake-up call for IoT vendors that security is as important as quality.