by: Tuong Pham
In recent years, the advent of technology has brought along with them security issues. In the realm of Internet of Things (IOT) devices, new proposed legislation has attempted to deal with security problems. IOT refers to the interconnection of physical devices that communicate through networks or over the internet. IOT devices have become commonplace in the modern world. The devices include all smart devices like internet connected TVs, Apple watches, smart speakers, and Amazon Echos. The issues of privacy and security for IOT have become an important topic for Congress and state government.
The National Institute of Standards and Technology (NIST) has recently published 2 publications with new guidelines for IOT. The new security guidelines depend on the devices, and their interaction with human users, and other systems with which the devices interact. NISTIR 8259 “Foundational Cybersecurity Activities for IoT Device Manufacturers recommends six (6) activities manufacturers should consider to improve the security of IOT devices.[1] The six factors include: 1) identify expected customers and users, and define expected use cases; 2) research customer cybersecurity needs and goals; determine how to address customer needs and goals; plan for adequate support of customer needs and goals; define approaches for communicating to customers; and decide what to communicate to customers and how to communicate the same. The NISTIR 8259A “IoT Device Cybersecurity Capability Core Baseline”[2] provides six (6) baseline device cybersecurity capabilities for manufacturers including: 1) device identification, 2) device configuration, 3) device protection, 4) logical access to interfaces, 5) software update, and 6) cybersecurity state awareness.
Congress has introduced bills to help deal with situations involving IoT. On September 15, 2020, the House of Representatives passed the Internet of Things Cybersecurity Improvement Act of 2020.[3] The bill backed by Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.) aims to provide minimum security standards for IoT devices. The bill tasks NIST with creating standards and guidelines for use and management of IoT devices. NIST would also be required to update the security standards and guidelines every five years as well. Other bills have also been introduced in Congress as well. For example: the Data Protection Act of 2020 seeks to create a new federal agency to assess high risk data practices, the Ethical Use of Facial Recognition Act seeks to prohibit federal use of facial recognition software without a warrant, and the National Artificial Intelligence Initiative Act of 2020 seeks to support research and development in AI, including developing standards for trustworthy AI systems.[4]
At the state level, different states have taken varying measures to address the security and privacy concerns of IoT. California legislation SB 327 became effective January 1, 2020 and requires manufacturers of IoT to provide reasonable security features or features must be “appropriate to the nature and function of the device; appropriate to the information the device may collect, contain, or transmit; and, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”[5] Oregon enacted a similar law effective on January 1, 2020 that required IoT to be equipped with “reasonable security features.”[6] Washington state has introduced a bill called Notifying Washington Consumers of Products that Transmit User Data. The bill requires that devices capable of transmitting user data to business entities, must include a sticker informing the user of that feature.
As IoT devices continue to grow more prevalent in modern day society, the need for some regulatory framework grows. Congress and state governments have reacted to the privacy and security concerns implicit in IoT with varying success. With the passage of Internet of Things Cybersecurity Improvement Act of 2020 through the House, the future is increasingly likely that IoT manufacturers may have to adopt specific guidelines.
References
[1] Michael Fagan et. al., Foundational Cybersecurity Activities for IoT Device Manufacturers https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdf
[2] Michael Fagan et. al., IoT Device Cybersecurity Capability Core Baseline https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259A.pdf
[3] Mark Rockwell, House votes for new rules on federal IOT acquisition. https://fcw.com/articles/2020/09/15/iot-cyber-bill-passes-house.aspx
[4] U.S. AI and IoT Legislative Update- First Quarter 2020, https://www.lexology.com/library/detail.aspx?g=c4e768e8-ec9f-4e74-9ef2-d09996d79b9c
[5] Deborah A. George, IoT Manufacturers – What you need to Know about California’s IoT Law. https://www.natlawreview.com/article/iot-manufacturers-what-you-need-to-know-about-california-s-iot-law
[6] Deborah A. George, Oregon’s New IoT Law. https://www.natlawreview.com/article/oregon-s-new-iot-law
