In the wake of the powerful Mirai, Reaper and Okiru Distributed Denial-of-Service (DDoS) botnet attacks, executed through the infection and hijacking of hundreds of thousands of vulnerable Internet of Things (IoT) devices, governments around the world are stepping up their efforts to address the increased security and safety risks inherent in the rise of IoT adoption, and to better define their role in promoting and regulating the technology.
In the States, Congress has introduced several IoT bills in both the House of Representatives and the Senate. These measures approach the IoT from different perspectives, including creating new resources for end users to better understand the security and reliability of their IoT devices, imposing contractual requirements on companies, and regulating specific security standards.
One such bill, the Developing Innovation and Growing the Internet of Things (DIGIT) Act, directs the U.S. Secretary of Commerce to convene a “working group of Federal stakeholders” to create recommendations and a report to Congress on the IoT. Another such bill, the SMART IoT Act, would require the U.S. Department of Commerce (DOC) to conduct a study on the state of the industry. The DOC’s National Institute of Standards and Technology (NIST) has already launched a collaborative project to develop a voluntary privacy framework to aid organizations in managing risk.
Congress is also considering the Cyber Shield Act, which would create a voluntary labeling and grading system for IoT devices. Under this program, products are to be given grades that “display the extent to which a product meets the industry-leading data security and cybersecurity benchmarks.”
Another security bill, the Securing the IoT Act, would require the Federal Communication Commission (FCC) to establish cybersecurity standards that radio frequency equipment must meet in order to be certified under the FCC’s technical standards for equipment authorization.
Finally, the Internet of Things Cybersecurity Improvement Act sets minimum security standards for connected devices purchased by the government and mandates the specific contractual provisions agencies must include in any contract for such devices. Although the legislation only applies to government agency suppliers and affiliates, it could well establish a benchmark for device manufacturers that will influence commercial production.