The U.S. House of Representatives’ recent passage of House Resolution 1668 – the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 – is an important milestone in improving American national security. Through its bipartisan backing and overwhelming approval by the House, this bill makes clear that Congress is taking a firmer stance, albeit after some delay, on security standards for connected devices used by the federal government. The proliferation of IoT connectivity in all manner of places – from homes to electrical substations to factories – has delivered incredible benefits to productivity and safety. But with these benefits come risks, especially in the form of malicious actors seeking to exploit weaknesses in this technology. Establishing clearer standards for government procurement and risk management for the IoT is a key step towards managing this challenge.
Alongside the private sector, the U.S. government has begun rapidly investing in and deploying IoT technology for a variety of use cases, with a majority of federal agencies already having done so. Among them are organizations such as the Departments of Energy, Defense, and Transportation, whose missions have serious safety implications. Thankfully, the ability to monitor and analyze telemetry from a broad array of geographically distributed devices and processes offers many gains in terms of efficiency, survivability, and – in the case of the American military – lethality.
Unfortunately, sophisticated cyber actors – backed by hostile nations – have taken notice. Testifying before the Senate in 2018, the Director of the Defense Intelligence Agency noted that the “most important emerging cyberthreats to our national security will come from exploitation of our weakest technology components: mobile devices and the Internet of Things.” Earlier this year, the Department of Homeland security warned that Iranian government-sponsored hackers are “capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.” Recent attempts by similar actors to penetrate U.S. government information technology systems highlight Iran’s ongoing capability and intent to exploit information security vulnerabilities. Separately, Advanced Persistent Threats associated with various Russian intelligence services have built and used a bevy of tools to target IoT devices.
Bridging the gap between the physical and digital worlds, IoT devices serve as vectors for such malicious actors to inflict real-world damage through cyber intrusions. As the U.S. government continues rolling out its own IoT capabilities, having a clear and actionable security framework in place will thus be critical. Building on top of the work already done towards this end, the IoT Cybersecurity Improvement Act represents a unifying force for improving government practices and protecting against potentially catastrophic attacks.
The proposed bill does so through three broad requirements: standards development, vulnerability disclosure, and acquisition reform. Although the National Institutes of Standards and Technology (NIST) – an agency of the Department of Commerce – have already published a series of guidelines for IoT security (partially at the behest of industry groups), this new legislation formalizes the effort and gives it greater weight. Especially by mandating minimum standards with respect to secure development and configuration management, such new guidance can help to establish a common bar for all government agencies capitalizing on IoT capabilities. Furthermore, by directing the Office of Management and Budget to enforce these requirements, the bill gives these standards bureaucratic “teeth” across the sprawling federal government, although it does exempt certain defense and intelligence agency systems.
With respect to the disclosure of potential security vulnerabilities in connected devices and software used in most federal networks, the IoT Cybersecurity Improvement Act directs the establishment of a formal process for receiving, disseminating, and acting on such information. This provision further solidifies the work done by the Cybersecurity and Infrastructure Security Agency (CISA) – part of the Department of Homeland Security – which promulgated detailed guidance this month and is mandatory for the majority of the federal government. This binding operational directive requires all applicable agencies to develop vulnerability disclosure policies, already starting some of the work laid out in the pending legislation.
Finally, the IoT Cybersecurity Improvement Act would modify the Federal Acquisition Regulation (FAR) to incorporate the aforementioned newly minted standards. Although representing a byzantine array of rules and procedures, the FAR serves as an important bulwark against waste and abuse in government procurement. While this document might require some reform of its own, beefing up IoT security standards is nevertheless an important goal to which government buyers will likely have to pay more attention.
The way ahead
With these three broad thrusts, this pending legislation represents a great start. Further down the road, however, legislators would be wise to incorporate additional requirements, especially with respect to IoT hardware and software supply chain security. The Government Accountability Office has identified supply chain security as a “high risk” area of concern for the United States Government, pointing out recent mishaps such as the State Department’s reliance on software developers with upstream suppliers based in Russia and China. Especially since both of these countries are known to conduct software supply chain attacks, and the latter has been brazenly targeting U.S. government networks of late, such a revelation is especially troubling. Furthermore, as the Pentagon’s Chief Information Officer said last year, in terms of “good cyber-hygiene to stay ahead of the adversary…we know many of the second- and third- or fourth-tier supply base simply doesn’t have the wherewithal.” Additional security measures further upstream IoT supply chains, such employee vetting and “chain-of-trust” integrity verification capabilities, should eventually become legal requirements for vendors selling to the government.
Despite its gaps, the Internet of Things (IoT) Cybersecurity Improvement Act is a solid piece of legislation that will strengthen America’s national security. The bill’s sponsorship by congressional cybersecurity leaders like Representative Will Hurd and Senator Mark Warner – who drafted a companion bill for the Senate – signals the seriousness and immediacy of the challenge. Given its bicameral support and the White House’s comfort with the proposed act’s content, it seems destined for passage and signing. With that said, all stakeholders – whether in the private sector, academia, civil service, or elected office – should strive to take this effort across the goal line and turn the bill into law.