Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

IoT Cybersecurity Improvement Act Signed Into Law: New Security Requirements for Federal Government Devices

Wednesday, December 23, 2020

Categories: ASCF News Bipartisianship Cyber Security

Comments: 0

The IoT Cybersecurity Improvement Act of 2020 is now federal law, meaning that US government “smart devices” will be subject to a new and more stringent set of security standards.- Advertisement -

Sponsored by a bipartisan coalition consisting of Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) along with Senators Mark Warner (D-VA) and Cory Gardner (R-CO), the terms of the bill apply to any IoT device purchased with government money. In addition to establishing new mandatory minimum security standards for these devices, the new IoT cybersecurity bill requires that these standards and policies be updated at least once every five years.

IoT cybersecurity act aims to shore up supply chain vulnerabilities

The new IoT cybersecurity bill does not spell out all of the new security standards; this responsibility goes to the National Institute of Standards and Technology (NIST) to develop, while the Office of Management and Budget (OMB) is tasked with reviewing current information security policies and ensuring that they stay consistent with NIST guidelines. NIST and OMB are also tasked with creating new vulnerability reporting guidelines, including a new standard for reporting by government contractors. The two agencies will convene to update standards, guidelines and policies periodically.

Federal agencies will not be allowed to acquire IoT devices that do not meet NIST’s baseline security standards. However, the IoT cybersecurity bill includes a waiver process for devices that meet certain criteria: those that are necessary for national security or that are required for research are two primary examples.

The IoT cybersecurity bill comes in response to a longstanding state of generally poor security in smart device manufacture, something that has been exploited even more ruthlessly than usual as of late as the Covid-19 pandemic causes all types of cyber crime to spike. Since IoT devices have become available the industry has been plagued by a lax attitude toward security; some of it due to lack of understanding of how damaging the compromise of these devices can be, some of it simply owed to cost-cutting and market pressures. The end result has been a great deal of internet-connected smart devices that either have insufficient protection from hacking or have no ability to update when vulnerabilities are discovered.

There has been a 100% increase in IoT device takeovers in 2020; these devices now represent 32.72% of all infected mobile and WiFi network components, up from 16.17% last year. Well aware of the tendency of these devices to be vulnerable, cyber criminals are targeting network scans to look for public-facing smart devices to compromise. Edgard Capdevielle, CEO of Nozomi Networks, adds: “Nozomi’s 2020 OT/IoT Threat Landscape Report found that In the first six months of this year, hackers used IoT botnets and shifting ransomware tactics as their weapons of choice for targeting IoT devices in operational networks. With more than 5.8 million enterprise and automotive IoT devices expected to be connected to the Internet this year according to Gartner, this new law will help make IoT security a top priority.”

Government agencies have to consider not just the devices that are used internally, which may be tucked away behind a secure network, but also the entirety of the federal third-party contractor supply chain that now spans over four million companies. The government has weathered a number of high-profile “vendor compromise” incidents of this nature in recent years, the hack of security vendor SolarWinds being the biggest and most current example.

Focus on IoT security by design

Whatever policies come out of NIST will face considerable natural obstacles in real-world implementation, however. The bill calls for a focus on “security by design,” which would appear to mandate the acquisition of devices that are manufactured with this level of security in mind. There is simply a general shortage of these sorts of devices available on the market in many product categories, with the young IoT industry focused much more heavily on competing on cost and rapid innovation. The existing supply chain is also built on millions (if not tens of millions) of these devices, making replacement a task that is potentially too expensive and disruptive to operations.

Observers have also raised concerns over the inclusion of waivers in the IoT cybersecurity bill; the language used appears to be broad enough to make it possible to sneak through a variety of insecure devices with a little creativity. However, language in more recent versions had been restricted as compared to the version initially introduced to the House (which allowed for waivers in any situation “appropriate to the function of the covered device,” something that was clearly ripe for abuse). As of this writing the final text of the bill has yet to be posted publicly by the Library of Congress.

Other IoT cybersecurity mandates

Efforts to regulate IoT cybersecurity have been ramping up around the world recently as the US federal government is not unique in having to cope with this embedded threat. This includes within the United States, as digital privacy leader California has a bill in the pipeline (SB-237) that would require device manufacturers in the state to implement “reasonable security features appropriate to the function of the device.” And while the EU’s GDPR does not directly address IoT security at a manufacturing level, legislation being considered in the United Kingdom would require similar security features. If passed, it might lead to the standards being applied beyond UK borders. Yaniv Nissenboim, Vice President of Vdoo, added: “We also expect the trend to spread to state governments (most have already introduced or passed IoT cybersecurity legislation) and then immediately onto private adopters and users. Companies that fail to demonstrate compliance might find themselves shut out of lucrative target markets for their IoT devices at some point … We expect similar regulations and standards to emerge outside the US as well. Singapore has already launched a national rating system for connected devices’ cybersecurity, and other nations will follow. This is an expected reaction of regulators to the increasing threat globally.”

Photo and Link: IoT Cybersecurity Improvement Act Signed Into Law: New Security Requirements for Federal Government Devices - CPO Magazine

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.