Federal Regulations for IoT?

The Internet of Things is taking over our lives. As of right now, there are no cyber security requirements in place to regulate the way these “things” interact with the internet. The Internet of Things’ landscape continues to increase, and it is being seen more clearly as a potential cyber security disaster waiting to come crashing down.

Politicians realized this back in 2017, and as a result a bill was introduced to Congress. That bill hoped to increase cybersecurity requirements for internet of things devices that were bought, used, and managed by the Federal government.

That bill never made it out of Senate Homeland Security and Governmental Affairs Committee. This time, a similar bill is hoping to reintroduce regulations for Internet of Things devices purchased by the government. It would have the National Institute of Standards and Technology (NIST) identify cyber security standards for the Internet of Things devices, and following guidance for the Federal agencies. The 2019 bill puts a greater emphasis on NIST’s role than the 2017 bill.

Arlene Santos is the Team Lead for the NSA’s IoT Enterprise Functional Team. In an interview with MeriTalk, Ms. Santos elaborated that “the next disruptive technology that is changing our lives” is the Internet of Things. She quoted the statistic that the duration between 2016 and 2017 saw cyber attacks including IoT devices increase by 600 percent.

There are so many devices on the market now. The market has been flooded with devices that connect to the internet, some of them items you never would have expected, like a crock pot, or a washer and dryer unit.

There is a major problem here for the government. Without security standards in place, obviously high security networks, for example, government networks, are left in a vulnerable position. Not having standards in place to regulate Internet of Things devices creates immense vulnerabilities that continue to grow.

Santos has identified two major issues that need to be identified and flushed out: the vulnerability, and the scope of the risks.

If the bill were to pass, the NSA and federal government agencies would conduct assessments and compile data for the NIST to then use when creating its security standards for Internet of Things devices. The bill requires the recommendations to be compiled and provided to the NIST by March of 2020. Because so many products are created with the potential to sell to the Federal government, Santos feels that “…if you want to be on our provider list, you must meet these requirements, and that clearly influences the major manufacturers…if you were a provider of the Internet of Things that would be used primarily, significantly, in the Department of Defense…if that is 50 percent of your sales, that’s pretty significant.”  

Santos hopes that this would impact the creation of how Internet of Things devices are created moving forward. The Internet of Things, cloud services, and infrastructure are all becoming significantly interwoven, and since they rely on each other significantly, it only makes sense that security would incorporate all of these aspects. The goal moving forward is to have a “layered” solution. “We need manufacturers, the industry, to move forward in that direction. It helps government, and the commercial (industry).”