Cybersecurity leaders believe that the new Internet of Things Cybersecurity Improvement Act will help increase security protection for the massive volume of IoT devices in enterprises and domestic environments
The Act was signed by the POTUS and converted into a law in December. It has codified what cybersecurity experts have long asked for; it is for better security protection for connected IoT devices.
Security leaders point out that a range of electronics has been transformed into internet-connected systems in the past couple of years. The recent bill needs the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) to specific steps for increasing security measures related to the Internet of Things (IoT) appliances.
The sudden expansion and explosion of IoT devices in the everyday routine has coincided with the steep increase in highly critical attacks that manipulate their liabilities to cause as much impact as possible. Experts believe that the law will be a major milestone for the IT industry and will help bringing together the private and public sectors. Such collaboration will help develop a range of mandatory minimum security needs.
Leaders point out that while the bill is mainly meant for government purchases, it’s expected that consumer ecosystems, retailers, and network operators will follow similar standards for client products. CISOs believe that the law will nudge the IoT device manufacturing industry to improve the security of the devices.
Leaders point out that in the first six months of the pandemic, threat actors excessively used IoT botnets and implemented ransomware strategies as their top arsenal for targeting corporate security profiles and IoT devices used in the operational networks. The hard work relevant to the development of device standards and guidelines is far from completion. The involvement of NIST will help accelerate the adoption of connected and IoT device security guidelines at a global level. This will help improve the comprehensive industrial and critical corporate infrastructure security.
CISOs support the law as it calls for the development of guidelines and standards; identity management, secure development, configuration management, and patching. It enables NIST to collaborate with cybersecurity researchers, private sector industry experts, and government agencies to announce standard guidelines relevant to reporting and resolving liabilities.
Enterprises working with IoT devices will now be required to implement the Vulnerability Disclosure Programs, which will be applicable for government agencies. This is critical as many IoT devices are devoid of security controls; it allows them to access data and networks. When such devices are deployed across the IT industry, healthcare, or Defense agencies, sensitive data can be easily stolen from their database.
The accelerated technological leaps have prompted vendors to ignore devices in favor of the latest updated versions. They have no reason or requirement for building on security when selling products.
Unfortunately, this has served as a perfect gateway for threat actors to compromise enterprises and other agencies to exfiltrate data. When manufacturers are forced to follow at least a minimum security level, it will help reduce or prevent the loss of confidential data.
CISOs believe that the major vulnerability associated with IoT devices is that they were developed to communicate with any volume of APIs; this may make them highly susceptible to security liabilities.
The only criticism for the bill currently is that it is mandatory only at the government agency level when it could prove to be highly productive for the entire industry. Leaders hope that all devices are built hereon with the guidelines to mitigate any potential attacks in the future.