Who ought to repair Web of Issues cybersecurity? Congress takes a crack at it

The U.S. Congress is turning its attention to the Internet of Things (IoT), meaning all those nifty networked devices like door locks, security cameras, nanny cams and kitchen appliances — in other words, all those shiny gizmos that we write about here in the Smart Home section and that many of you already have in your house.

Guess what? There are currently no security standards whatsoever that manufacturers are mandated to follow. Congress is looking to change that by introducing a bill next week called The Internet of Things Cybersecurity Improvement Act. It was stewarded into the Senate by Senators Mark Warner, Cory Gardner, Maggie Hassan and Steve Daines; Representatives Robin Kelly and Will Hurd introduced the legislation in the House.

“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” Warner, who represents the state of Virginia, said in a statement.

Before you get all excited that Congress is finally going to save us from our toasters, the federal IoT security bill is not only pretty limited and technically unsophisticated, it would also only apply to tech companies and other manufacturers that want to sell their products to the U.S. government.

The bill is a virtual duplicate of one that was originally introduced in 2017 but lawmakers seem to be taking a little more interest after Lt. Gen. Robert Ashley, director of the Defense Intelligence Agency, called IoT devices one of the most important emerging threats to U.S. national security during testimony to the Senate last year.

If passed, the bill would first require a solicitation of recommendations from the National Institute of Standards and Technology (NIST) as to which security standards and protocols the government should follow. The agency would also be tasked to review the standards every five years.

As to the actual purchasing standards in regard to IoT devices, the government would require verification from each vendor that their device does not contain any known security vulnerabilities, uses industry standard technology, and doesn’t have any fixed credentials. Behavioral requirements would include notifying the government of any vulnerabilities that arise and providing information on continuing security support, among other things

The legislation shines a light on IoT cybersecurity and aims to set the bar a little higher for manufacturers of IoT devices, especially if they want to pursue lucrative government contracts. Consumers will likely notice little to no effect on their own smart home devices, as large government contracts tend to lean toward special versions of devices that meet government standards.

We’ll keep you posted as this IoT cybersecurity bill winds its way through our government’s lawmaking gears.