In the wake of the powerful Mirai, Reaper and Okiru distributed denial-of-service (DDoS) botnet attacks, executed through the infection and hijacking of hundreds of thousands of vulnerable Internet of Things (IoT) devices, governments around the world are stepping up their efforts to address the increased security and safety risks inherent in the rise of IoT adoption, and to better define their role in fostering and regulating the technology.
With more than eight billion IoT devices in use in 2017 and approximately one million new IoT connections made every hour, policymakers are taking a closer look at the many security and user-awareness implications associated with the Internet of Things. Not surprisingly, a number of proposals for studying and regulating IoT devices are being considered.
In the United States, Congress has introduced several IoT bills in both the House of Representatives and the Senate. These measures approach the IoT from different perspectives, including creating new resources for consumers to better understand the security and reliability of their IoT devices, regulating specific security standards and imposing contractual requirements on companies that provide IoT devices to the government.
One such bill, the Developing Innovation and Growing the Internet of Things (DIGIT) Act, directs the U.S. Secretary of Commerce to convene a “working group of Federal stakeholders” to create recommendations and a report to Congress on the IoT. Another bill, the SMART IoT Act, would require the U.S. Department of Commerce to conduct a study on the state of the industry. The Department of Commerce’s National Institute of Standards and Technology (NIST) has already launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk.
Congress is also considering the Cyber Shield Act, which would create a voluntary labeling and grading system for IoT devices. Under this program, products may be given grades that “display the extent to which a product meets the industry-leading cybersecurity and data security benchmarks.” Products that meet the advisory board’s standards would carry a cyber-shield logo. The system has been compared to the Energy Star program developed by the EPA more than 20 years ago.
Separately, the Senate has introduced the IoT Consumer Tips to Improve Personal Security Act that would require the Federal Trade Commission (FTC) to develop cybersecurity resources for consumer education and awareness regarding the purchase and use of connected devices. While the FTC produced guidelines for IoT security and privacy protection in 2015, it stopped short of calling for regulation, arguing that this would be premature. More recently, the FTC suggested that the legal framework surrounding the IoT is, for the most part, the same as the one that applies to other types of technology.
Another bill, the Securing the IoT Act, would require the Federal Communication Commission (FCC) to establish cybersecurity standards that radio frequency equipment must meet in order to be certified under the FCC’s technical standards for equipment authorization. The FCC has already weighed in on IoT regulation, and has suggested that if it determines the risk identified with the IoT won’t be naturally addressed by the market, it will consider further action.
Finally, the Internet of Things Cybersecurity Improvement Act sets minimum security standards for connected devices purchased by the government, and mandates the specific contractual provisions agencies must include in any contract for such devices. Although the legislation only applies to government agency suppliers and affiliates, it could well establish a benchmark for device manufactures that will influence commercial production.