I’m Just a Bill, Just an IoT Bill

On August 1st, a bipartisan bill entitled the Internet of Things Cybersecurity Improvement Act of 2017 was introduced to the Senate.  On the surface this can set off alarms for organizations looking to begin IoT initiatives, but is this proposed legislation cause for concern?

Why is this happening?

Remember that day last year when all your favorite sites shut down? Netflix, Twitter, HBO, Reddit, AWS were only some of the big name brought down by a Mirai bot attack.  Mirai programs work to take over a home device of some sort through a phishing email or an alternative virus delivery channel. The infected device then automates an attack, in this case a DDoS (distribution denial of service) attack.

The Mirai bot attacks were successful because they didn’t attempt to directly hack Netflix or Twitter. Rather, the hackers overtook far less valuable, thus far less secure, devices.  Home computers, personal cell phones, even internet connected toys can be hacked and automated to overwhelm more sophisticated targets with the sheer volume of attempted attacks.

The Senate is introducing this bill as a preliminary legislative step towards the prevention of future attacks.                                                     

What does it mean for IoT?

Essentially, hackers have learned how to leverage the power of IoT. If everything is connected, everything that is not properly secured becomes a key to a larger network.

Say I have an IoT connected toothbrush that connects to an app on my phone, tracking my oral hygiene habits.  On its own, that device and that data holds little to no value, outside of giving step by step instructions to anyone impressed with my smile.  However, that toothbrush is likely connected to my home internet system, which is also connected to my personal computer, personal cell phone and much more.  Hacking a loosely secured toothbrush with no perceived monetary value just provided a backdoor entry to far more valuable devices and data.

For IoT to be successful, there must be connectivity and data sharing between networks and devices…but they have to be secure connections.

This bill outlines how the government can arm themselves against cybersecurity threats by securing anything and everything connected to government networks.  Before the government can purchase any digital devices or software, all known vulnerabilities must be disclosed and minimum security standards must be met.

In some cases, this would require the replacement of technology already in use.  However, many IoT companies (certainly the top tier providers) have these types of security measures in place.

So what’s next?

The introduction of this bill serves to inform the general public of the basic security standards that should be applied to all internet connected devices and inform providers of the more stringent standards to come.  This way IoT providers can build out platforms and services with these new compliance standards in mind.

The bill still has a long way to go before it becomes a law, and there are several revisions that will have to be made to tighten up the legislation.  Liberal use of the words “internet enabled device” paired with the broad definition of said devices could lead to a wider application of the guidelines than intended.  All in all, this bill is a step in the right direction towards a more secure Internet of Things.

 

Clare Maher

Clare Maher is the Product Marketing Manager at ClearObject. A graduate of Saint Mary’s College (#gobelles), Clare can usually be found yelling at the screen during a Notre Dame game, quoting any film ever made or touring the Indy restaurant scene.

Sign up for our Newsletter