A new law setting cybersecurity standards for Internet of Things devices that federal agencies buy could have a larger impact on the industry due to the government’s purchasing power.
The standards, which under the law must be finalized in early 2021, are likely to prompt makers of internet-connected devices to step up their security so they can sell to the government.
“The statute leverages the purchasing power of the federal government to raise the floor on IoT device cybersecurity,” said Micaela McMurrough, a partner at Covington & Burling LLP, who advises companies on cybersecurity issues.
The Internet of Things Cybersecurity Improvement Act, which was signed into law in early December, directs the National Institute of Standards and Technology to write cybersecurity standards for IoT devices. NIST recently proposed draft cyber standards for device makers and government buyers that are open for public comment until Feb. 12.
The government uses IoT devices for everything from smart building management to environmental monitoring, according to a report from the U.S. Government Accountability Office. Many agencies are likely to ramp up their IoT use over time, the report says.
But vulnerabilities in connected devices, such as preset passwords that are easy to hack, could be used to gain entry into government systems. That’s led some agencies, including NASA, to develop their own IoT technologies instead of purchasing them from the private sector, the GAO found.
Other agencies won’t be allowed to buy private sector devices unless those devices meet the new minimum standards for cybersecurity, starting two years after the law’s enactment. Compliance, though, could be challenging for makers of relatively small and inexpensive devices, potentially driving up their costs.
Companies making devices for consumers are likely to apply the standards across-the-board, rather than producing separate versions of products for consumers and the government.
“While the federal government might not be a massive portion of the overall sales of these companies, it will have a ripple effect,” said Brad Ree, chief technology officer for the ioXt Alliance, an industry-led security certification program for connected devices. Members of the alliance, which supports the new law, include
The law seeks to address concerns that connected devices could be used as a “vulnerable vector” for a broader cyberattack, according to Christian Fjeld, a former congressional staffer who’s now a vice president at law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C.
Hackers who stole credit card data from Target Corp.'s payments system in 2013, for example, appeared to have used credentials from a refrigeration contractor that had access to the retailer’s network for maintenance purposes.
“Securing IoT connectivity helps harden the overall system,” Fjeld said.
Smaller and relatively inexpensive devices that connect to a network, such as a door lock or thermostat, could have a harder time complying with the new federal cyber standards.
“The challenge I think for the device manufacturers is being able to comply with these obligations when producing really inexpensive devices,” said Daniel Pepper, a partner at Baker & Hostetler LLP who focuses on data privacy and cybersecurity law. “There will be a cost increase,” he added.