Crossroads Blog | CYBER SECURITY LAW AND POLICY

Congress, Cyber Legislation, IoT

Draft Internet of Things (IoT) Cybersecurity Act of 2017

The Draft IOT Cybersecurity Act of 2017: According to an article in the National Law Review, this draft legislation was introduced by Senators Mark Warner, Cory Gardner, Ron Wyden, and Steve Daines. The purpose of the legislation is to entice IoT vendors to implement the following designs into their products:

  • the ability to patch devices;
  • a commitment to withholding devices from market if they contain known vulnerabilities;
  • implement standard/known network protocols; and
  • refrain from using hard-coded passwords on these devices

[pdf-embedder url=”http://blog.cybersecuritylaw.us/wp-content/uploads/securepdfs/2017/08/CyberFactSheet2017.pdf”]

This legislation would mandate that government procurement would be limited to vendors/products that meet these requirements (possibility of case-by-case waivers does exist).  Thus, rather than imposing broad regulations across the IoT landscape, this would target anyone interested in reaching the vast government market. Various industry insiders and cyber experts have given positive feedback on this proposed legislation, as the consensus seems to be that this will help entice vendors to make their IoT devices more secure so that these enhancements would be manifest across the public and private sectors.


<Opinion>

I get the value in doing something rather than doing nothing, and I have been on the “IoT is insecure” bandwagon for some time now.  However, I still can’t help but think that this is beginning to feel like a piecemeal approach to security and privacy. If we continue to focus on specific industries, or devices, or vendors we run the risk of losing sight of the bigger picture.  Personally, I believe we need to focus on data-centric security policies and stop trying to think about edge or network security as the primary points of vulnerability.  I would argue that if we focus on the data and privacy we can then design comprehensive architectures that are purpose-built to safeguard that which we hold most important and critical.  Yes, edge security and firewalls are going to be a component of that, as will encryption and information silos, along with access control and secure protocols, as well as knowledge transfer and training.  However, it is important to keep our eye on the prize, the crown jewels, if you will — the data itself, rather than the medium upon which it flows.

So yes, the draft legislation may help with IoT devices and making them less insecure since consumers care too little about security for any true market driven forces to effectuate these changes.  However, if we continue to take a device-by-device, industry-by-industry approach we will be drafting legislation for years and still inevitably something is going to fall through the cracks.  If we had focused on data-centric legislation years ago then IoT devices may never have been a cybersecurity issue in the first place.

Wouldn’t a more pragmatic choice be to draft legislation that targets data security and privacy irrespective of the platform?  Irrespective of the industry?  Irrespective of the intended market? Why not build legislation that protects data. Wouldn’t the natural and logical flow result in the inclusion of such basic product attributes such as the ability to patch devices and use standard protocols and not use hardcoded passwords?

Leave a Reply