Is the IoT Cybersecurity Improvement Act Enough?

It’s no secret that the current state of internet of things, or IoT, security is sub-par. We all see the steady drumbeat of headlines detailing new vulnerabilities in just about every connected device, from smart vacuums to digital assistants. 

There is still a lot of work to be done when it comes to making IoT more secure, and the U.S. government is taking notice. The House of Representatives recently passed a bipartisan bill requiring that all IoT devices purchased by the government meet minimum security requirements. Known as the IoT Cybersecurity Improvement Act, the measure directs the National Institute of Standards and Technology to create security standards that government agencies would have to follow when purchasing IoT devices, as well as the management of their vulnerabilities.

While any bipartisan bill is likely to generate varying viewpoints, this is one that should be applauded, considering the biggest gap in addressing IoT security is lack of awareness. But is it really enough to generate industrywide change? Let’s explore.

A Portion of the Massive Problem

This bill is certainly a step in the right direction, as it will help bring the topic of IoT security and privacy front and center for federal organizations, technology manufacturers and consumers alike. First, let’s look at the pros. The involvement from NIST in developing guidelines on the use of IoT devices, as well as the management and disclosure process of related vulnerabilities, is perhaps one of the biggest benefits of the bill. Once approved and implemented, these guidelines could provide helpful guidance to both the public and private sector—but ultimately, we need more than just general guidelines.

Now, let’s evaluate the cons. The bill in its current state addresses just a portion of the larger problem at hand. The security regulations outlined in the bill only apply to IoT technologies that will be used in federal environments, rather than being applicable across all relevant IoT-enabled devices. So, while it is a good first step, it’s far from being entirely sufficient.

The responsibility still falls on the manufacturers to provide secure, trustworthy IoT technologies. Simultaneously, we as consumers must also demand better security from the companies selling us these devices. Without this, it’s unlikely we’ll see the level of action required to turn the IoT security tides across the board. At the end of the day, an all-encompassing set of guidelines for secure IoT device manufacturing, distribution and implementation is required in order to drive a realistic shift. 

What Else Can Be Done

IoT transcends far beyond the government—in fact, industry experts forecast there will be as many as 125 billion IoT devices by 2030. So, what else can be done to ensure IoT security is at the forefront of everyone’s agenda?

The first step is to increase awareness and education across the board for both manufacturers and consumers. Manufacturers need to be aware of the dangers of IoT vulnerabilities, their options for mitigating those dangers, the proper methods and technologies for testing their products, and the correct way to handle reports and fixes in the event that security issues have been discovered. This is particularly important as the IoT world becomes more complex due to the implementation of APIs and dispersed data, only creating a more urgent need for user awareness paired with manufacturer education.  

In tandem, end users must be more cognizant about their IoT purchases. It’s important to remember that taking the more affordable option when purchasing a connected device means that security likely wasn’t as big of a priority during the product’s design and build. In general, a good rule of thumb before buying a new device is asking, “Do I really need this? Do I really need another piece of technology with a camera, microphone, or tracking capability in my life?” More often than not, the answer is no. However, if you still feel inclined to make the purchase, go with a trusted vendor that has a strong reputation and stance on security. 

IoT security has come a long way since smart technologies first emerged, so ultimately, we are making progress over time. However, as cyber criminals continue with their schemes at a record pace, we need to be more hypervigilant and proactive than we notoriously have been in order to reap the rewards of IoT-enabled technology, without the major risks. The U.S. government is setting the tone from the top, and until guidelines or formal regulations are implemented at an end user level, it’s a shared responsibility to be smart when it comes to IoT usage.

Erez Yalon is director of the security research group at Checkmarx.