In light of several high-profile data breaches, data security is now at the forefront when it comes to internet regulation. From the UK’s General Data Protection Regulation (GDPR) to the US Consumer Privacy Act (CPA), governments around the world realize that data protection is increasingly important.
This is no different in the rapidly expanding IoT (internet of things) industry, where the number of IoT devices is expected to grow to 21.5 billion by 2025.With such massive growth expected within the industry, many governments have committed to the security of IoT technology.
Recently, the United States and California governments each passed their own IoT cybersecurity bill designed to regulate security on the internet. These bills aim to protect user data on IoT devices – an increasingly important notion as IoT tech becomes more prevalent.
With that being said, here is all you need to know about these US and California IoT security bills.
The United States IoT Cybersecurity Bill
First, let’s cover the major United States IoT cybersecurity bill.
With broad bipartisan support, the IoT Cybersecurity Improvement Act of 2020 recently became law. This bill, while mainly concerned with governmental procurement of IoT technology, has the potential to promote broad security within the entire IoT industry.
There are a few things to unpack here, so let’s go over the main points of the bill here.
- It requires that the National Institute of Standards and Technology (NIST) develop these new guidelines for use and management of IoT devices: The new act also requires that the (NIST) develop new standards and guidelines to regulate IoT cybersecurity.
- It also requires the NIST to develop guidelines for reporting of issues related to IoT devices: The NIST will also need to work on guidelines that allow third parties to report security issues with these devices.
- All contractors need to comply with these regulations: Each federal agency will have until December 2022 to make sure that all their IoT contractors meet the minimum standards decided by the NIST.
As mentioned above, this bill has the potential to drastically improve the security of all IoT devices. Here are a few of the ways that it will change IoT cybersecurity in both the public and private sectors.
- Public sector: 56 out of 80 federal agencies use IoT technology for various reasons, meaning an expansive law was needed to help mitigate the risk of cyber attacks. This regulation will directly affect government contractors in the IoT industry. The main intent of the IoT cybersecurity bill is to stop federal agencies from purchasing IoT devices that fail to meet “minimum standards.”
- Private sector: This is more speculative as the private sector is not mentioned in the bill. Nonetheless has the potential to set a standard for how the private sector manages risk in new IoT devices.
With this act due to take effect in 2022, here are a few things that organizations in the IoT industry should do to prepare for its implementation.
- Manufacturers: need to develop appropriate device requirements and documentation that meets the forthcoming NIST guidelines. They also need to plan processes to publicly report security threats in their devices.
- Federal contractors: need to identify systems within their department that use IoT devices and plan to meet the NIST guidelines.
- Other organizations: should consider how the new guidelines may impact their compliance with cybersecurity laws. They should also identify IoT devices in their systems and determine whether or not they will be compliant with NIST guidelines.
This bill is exciting as it is the first national legislation for IoT devices within the United States. But it wasn’t the first.
California’s IoT Security Law
Now that we have the United States IoT security bill covered, let’s move to California.
California has taken major strides to improve data privacy on the internet in recent years, with the California Consumer Privacy Act (CCPA) the most prominent among them.
Recently, the California government started to make a concerted effort to regulate the burgeoning IoT Industry. In September of 2019, California passed the Internet of Things Security Law – the first of its kind. Its intent is to provide users of IoT devices with more robust security. Most critically, it requires manufacturers to make efforts to actively promote security in these devices.
Here are the main takeaways from the bill:
- Manufacturers must provide “reasonable cybersecurity measures”: Reasonable safety features must be appropriate to the nature of the device and what kind of information it collects. They also must be able to protect the device from any unauthorized attempts to access or modify information contained within the device.
- New regulations for devices requiring authentication outside a local network: These types of devices will need either a unique preprogrammed password or will have to require users to generate a new means of authentication before initial access. In short, this dramatically improves password management and modes of authentication.
Here is what this bill means going forward.
- Manufacturers will have to provide reasonable cybersecurity measures: In order to gain compliance, manufacturers of these IoT devices must provide reasonable cybersecurity measures as defined above.
- Critics say the bill is too vague: Many experts claim that the bill is too vague to have a significant impact on the industry. Additionally, the bill does not specifically detail what penalties exist for those who don’t comply. It remains to be seen just how the government will penalize those devices that fail to meet these “reasonable measures.”
The California bill stands as the first real legislation at the state level designed to improve security in the IoT field. Going forward, we expect new laws to supplement it as we move to regulate more parts of the internet. In fact, Oregon recently became the second state to pass IoT legislation, following the lead of the California law on IoT security.
The new decade has brought with it an increasing interest in regulating many parts of the internet. IoT technology has been able to expand rapidly, but while this expansion has been beneficial in many ways, it has also brought with it increasing security concerns – especially for government contractors.
Though the internet was once a wild west of sorts, we are quickly moving towards a regulated environment where privacy is paramount. These new bills will likely act as watershed moments in the future trajectory of internet security. Though imperfect these bills will likely act as foundational documents for years to come.
If you want some help getting ahead of the curve with these new bills, get in touch with us today and find out how we can help you apply to these IoT security laws.
Read Our Other Resources
We’ve also published a range of IoT resources for our community, including:
- Looking to work within Europe? Read IoT and GDPR: How to Stay Compliant in 2021
- Further your understanding of IoT regulation in Europe by reading EU IoT Regulation: What Your Business Needs to Know
- Improve your device’s safety by reading A Developer’s Guide to IoT Encryption Algorithms
- Buying versus building an IoT platform, which discusses how to choose the best option for you.