The U.S. IoT Cybersecurity Improvement Act Becomes Law

The U.S. IoT Cybersecurity Improvement Act Becomes Law

An important step toward securing the Internet was achieved on December 4, 2020, when President Trump signed an IoT security bill into law. The Internet of Things Cybersecurity Improvement Act of 2020 has been in the works since 2017 and was passed by the U.S. House of Representatives in September 2020 and the U.S. Senate in November 2020.

The bi-partisan team that backed the IoT bill included Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Tex.), and Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo), and was backed by multiple tech companies, including BSA (The Software Alliance), Cloudflare, CTIA, Mozilla, Rapid7, Symantec, and Tenable, according to SecurityWeek.

This new IoT security law calls for the National Institute of Standards and Technology (NIST) to publish, within 90 days, “standards and guidelines for the Federal Government on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.” This includes but is not limited to, secure development, identity management, patching and configuration management.

The law also requires the office of Management and Budget (OMB) to publish recommendations within 180 days, based on the NIST publication and consultation with cybersecurity researchers and private sector industry experts.

It’s not just the federal government who is looking to fix this problem with legislation. According to BTB Security, “A growing number of state legislatures are concerned about the lack of security posed by Internet-of-Things (IoT) devices. California was the first to pass a law mandating better IoT security in 2018 and Oregon has followed suit this year while Illinois, Kentucky, Massachusetts, Maryland, New York, Rhode Island, Vermont and Virginia are considering similar legislation.”

The U.S. IoT Cybersecurity Improvement Act Becomes Law

Legislation is an important step in securing the rapidly growing number of Internet of Things (IoT) devices on the Internet. Today, poorly secured IoT devices is one of the greatest threats to the Internet and our collective digital security. According to Statista, there will be more than 75 billion IoT connected devices in use by 2025.

The risk of unsecured IoT devices is not news. Last year, Between The Hacks called for IoT standards and legislation in Attack of the Light Bulbs.

What Can You Do?

If you own IoT devices, here are a few tips you can follow to better secure and protect your devices and your network.

  1. Ensure that your IoT devices are regularly patched. You many have to do this manually for some devices that do not have automatic updates.

  2. Make sure your IoT devices are behind a firewall. Port forwarding means that the device is directly accessible from the Internet and it will be attacked.

  3. Put IoT devices on a separate network in your home or office. To do this, follow the recommendations in the Between The Hacks article, Home Network Segmentation: A Must In The IoT Era.