Internet of Things (IoT) legislation has been virtually nonexistent over the years. This is all about to change, but there’s no need for panic or for everyone to grab their pitch forks and torches. Legislation for IoT will be limited and aims to help improve the standards and security of IoT devices. This is a good thing, but before discussing impending legislation and the ramifications of said laws, it’s important to understand the history behind them.
What IoT regulations?
The relaxed restrictions IoT has enjoyed for several years were carried over from when the U.S. Congress used a hands-off approach with regulating the internet as a whole. However, this laid-back approach has been weakening with companies like Facebook and Google, many of whom have been facing data security issues and congressional hearings over the last few years. This, in tandem with cybersecurity risks from other countries, has raised the stakes as Congress looks to limit the risk to the United States’ infrastructure, economy and security. Consumers are already well-aware of the risks of webcam hijacking and the U.S. Congress is not blind to this issue at a broader level.
Currently, there are several U.S. agencies whose authority is implicit to their roles and jurisdictions. The Department of Commerce, Department of Defense (DoD) and Department of Justice all have some form of IoT regulation, but many are wary of department overreach or, in juxtaposition, inaction. Overlapping responsibilities create a classic bureaucratic challenge; everyone is in charge, and no one is in charge. The need for one over-arching authority is apparent.
Over the years, several bills have been proposed, but significant legislation aimed at IoT has failed to pass. However, with the recent success of security in industry information technology (IT) networks for DoD contractors, there is a template for legislators to follow. The template was established in 2014 when the U.S. National Institute of Standards and Technology (NIST) published a policy framework of digital security guidance for private sector companies. Its goal was to help evaluate and improve an organization’s ability to prevent, detect and respond to cyberattacks. This framework has been adopted by many governments around the globe and serves as an example of regulatory success. The U.S. Congress believes a similar framework aimed at IoT is reasonable.
All of this leads to House Bill 1668. The bipartisan bill is currently in consideration and will likely be passed or rewritten to include different language. Regardless, legislation on IoT is finally coming. From a broad point of view, the bill would accomplish four things. First, it clarifies the role of NIST as the lead organization to set IoT standards, rather than leaving each respective agency to set its own. Second, it requires vendors selling IoT devices to the federal government to self-report cybersecurity issues. Third, it requires federal agencies to procure IoT devices using NIST standards. Finally, it requires NIST to report and update IoT standards.
This bill mainly serves to tackle the issue of cybersecurity and the standards needing to be established that will help prevent cyberthreats from becoming realities on IoT devices. Vulnerabilities will be identified and addressed, while policies and procedures for device manufacturing are created. Any aspect of a device compromising the confidentiality, integrity or availability of information is considered a vulnerability and a risk.
As the bill continues its journey through the legislative system, some aspects are still unclear. What exactly will end up being regulated, and what are the exact definitions of certain words? For example, what does “connected to the internet” entail and what is considered “federal use?” There is also the question of what the U.S. will do in relation to international standards. Will there be collaboration, or will the U.S. take the lead on creating standards?
It’s important to establish the fact, this legislation is only for IoT edge devices used by the federal government. If the bill had a wider net, it would never pass. This bill does not apply to consumer devices such as mobile phones, personal computers, or to private citizens in general. It only targets remotely operated devices procured by the federal government and excludes those not consistently connected to the internet. Additionally, this does not regulate network security, as other federal standards already exist on the network side.
The Trickle-Down Effect
These caveats do not mean there won’t be far reaching effects. The broader policy goals are to influence all of IoT by setting a “reasonable person” standard. With the federal government setting the example, it is likely we’ll see security standards extend outward over time. The policy makers are hoping for outside organizations and corporations to adopt and apply the same standards for their devices, creating regulations on a wide scale without actually imposing restrictions.
This style of legislation accomplishes a couple of goals. First, standards are suggested to the wider market instead of imposed by binding regulations. It also helps regulate the government. Since the bill is bipartisan, there’s an actual possibility of the bill passing in the House of Representatives and Senate.
Ultimately, some form of IoT legislation will pass sooner rather than later. House Bill 1668 is the first bill likely to get over the hump, and it will be telling to see how quickly and widely it will be adopted beyond federal walls. In this case, regulation is an improvement on the current state of affairs, and it will help usher in a new era of reliable and safe IoT products.