The US Congress, despite the damage the outgoing president’s refusal to accept defeat is causing, seems to have managed to finalize the processing of an apparently very complete law on the security of the Internet of Things (IoT), a nice baseline that will help consolidate a much-needed part of an environment that promises very high growth in the near future, as billions of devices of all kinds are progressively connected to the internet.
The IoT Cybersecurity Improvement Act, the unanimous approval of which has been celebrated by most of the industry, was conceived with the advice of companies such as Symantec, Mozilla and BSA The Software Alliance, is based on a list of considerations that IoT devices must cover: secure development, identity management, patching, and configuration management.
The law establishes a series of requirements that will allow a baseline to be established in the consideration of IoT-related products: consumer electronics companies will be able to choose not to comply with them, and therefore it will not be illegal to offer unsafe products on the market — which will predictably have lower prices — but for those who prefer to pay for a higher level of security, there will be at least a series of basic industry standards to which they can refer, and which other manufacturers more committed to security will be able to use. Some states, like California and Oregon, have already developed legislation in this regard, but the passage of a law at the federal level is a strong incentive to create industry standards.
This is a first step that, assuming the president approves the law, which is already on his desk, will allow the market to understand the importance of security in this context and that incidents such as the development of botnets using constellations of insecure devices or the exploitation of vulnerabilities in specific installations could, at the very least, become more isolated and difficult to carry out. There is no such thing as total security, but we need to raise the entry barriers for those who wish to take advantage of the lack of security, and prevent access to certain devices from being, as is currently the case, child’s play.
The European Union also has initiatives under development at various stages aimed at creating reference frameworks with regard to IOT security, which will certainly take note of the legislative approach proposed by the United States. This is undoubtedly an ecosystem with enormous potential for development in an increasing number of areas, but it must be properly regulated if it is not to end up becoming a nightmare, as was already beginning to happen.
Website of source