Will federal IoT legislation nudge business standards? Lawmakers say maybe

A bill proposing safety guidelines for federal internet of things purchases passed the House Monday, with senators hoping a corresponding bill will soon follow – and potentially influence IoT development standards at large.

Discussing the new bill, Sen. Mark Warner, D-Va., noted the lack of security baked into IoT products could have broad national effects.

"We all remember the Mirai botnet that attacked us back in 2016," he said to reporters Tuesday during a press call. Mirai, software that turned consumer security cameras into DDoS nightmares ultimately crashed Netflix, The New York Times and Twitter in one afternoon.

But the Internet of Things Cybersecurity Improvement Act won't directly affect consumer goods like the cameras in Mirai or the bevy of internet-connected devices available. Its focus is on minimal security standards for internet-connected devices purchased by federal agencies.

The press call featured three of the four legislators behind the bill: Warner and Reps. Will Hurd, R-Texas, and Robin Kelly, D-Ill. Sen. Cory Gardner, the fourth sponsor, was not on the call. All of those represented expressed hope that encouraging standards for the federal space would trickle down into the consumer market. They also recognized the possibility it might create a bifurcated market, with federal-grade goods separate from consumer-grade ones.

Beyond the threat of Mirai, connected devices provide a foothold for hackers to attack networks and produce valuable, hackable information on their own. The IoT bill would directly squash the latter two problems on federal networks.

The bill, first introduced in 2017, would require federal agencies to purchase only internet-connected devices consistent with Office of Management and Budget determination of agency-specific security standards. OMB would base those standards on findings from the National Institute of Standards and Technology. It would also require vendors to have coordinated disclosure programs.

Might such a requirement have broader implications? Certainly, the massive federal buying power encourages all developers to meet those minimum standards for all products. Similarly, consumer pressure might force all products to meet federal standards.

"I don't think it's unreasonable that consumers wouldn't want the same protection that the federal government would want," said Hurd.

Brad Ree, chief technology officer for the internet of things industry standards group, the ioXt Alliance, was optimistic that the bill would push several types of devices to higher security standards.

"It's just not practical to build two versions of many connected products," he said, noting that the government is a major purchaser of everything from garage door openers to mini fridges.

That might not mean all devices would benefit. Baby cameras, said Ree, are more commonly a consumer good.

But, as all three lawmakers noted, there was no guarantee that the industry would shift as a whole rather than split in to federal and consumer products.

Hurd noted that doesn't give private CISOs a pass to introduce unsecure devices. For example, banks and other businesses already have to meet regulatory demands.

Kelly added that IoT manufacturers could be influenced by a growing public understanding of the importance of security, even if the bill did not impact the thinking of consumer brands.

"Consumers have shown that they care about privacy and security and companies should be investing in their security to give themselves what may be a competitive advantage," said Kelly.

Warner said that his original intent in creating an IoT bill was to explicitly cover all – not just federal – devices, but the bill was shaped in part by what was legislatively possible. He did hold out hope a potential federal move would push the industry as a whole, not separate federal and consumer products.

"At least personally, I obviously hope that we don't end up bifurcating," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.