Everyday devices that connect to the Internet to provide us with functionality and convenience, continue to proliferate. CISCO predicts that, in 2021, there will be 27.1 billion networked devices in use across the globe, up from 17.1 billion devices just 4 years ago1. That’s about 3.5 networked devices for every man, woman, and child on earth. As processors grow smaller and less expensive, and networking technologies become more available, this number can only be expected to rise.
What are "Internet of Things" Devices?
“Internet of Things" (IoT) devices are devices that you don’t normally think of as having an Internet connection. In addition to the connected audio devices like Amazon Echo or Google Home, there are smart locks that track a homeowner’s comings and goings, light switches and plugs that can be controlled remotely, a smart orthopedic brace that alerts healthcare providers when a patient isn’t doing the requisite physical therapy, and watches that track physical activity including heart rate, blood pressure, and sleep patterns. You can even buy a connected teakettle and connected toys!
For all of the fun and convenience they may offer, IoT devices can also introduce a level of insecurity into your life. Like any computer system, all of these devices and services collect personal data that is either sensitive or confidential on its own, or sensitive and confidential when combined. In addition, the devices themselves may use old operating systems and hardware, lack sufficient device update functionality, have hard-coded passwords, and, most often, transfer data indiscriminately and insecurely. The lack of security and privacy standards for IoT devices definitely introduces risk for the average household, but what happens when these devices are used within federal agencies to further the work of the government?
History of U.S. Regulation of IoT Devices
On December 4, 2020, the United States President signed into law H.R. 1668, the “Internet of Things Cybersecurity Improvement Act of 2020.”2 The IoT Act enjoyed strong bipartisan support from Congress, signifying an understanding of the growing use of IoT technology in governmental operations, as well as the importance of proactively addressing cybersecurity issues inherent in IoT devices.
The Act establishes security standards for IoT devices that are owned or controlled by the Federal government and requires the National Institute of Standards and Technology (NIST) to create minimum cybersecurity standards for such devices. Under the Act, NIST has 90 days to develop these security standards and additional guidelines on federal agencies’ appropriate use and management of IoT devices. NIST also must develop additional guidelines within 180 days to address requirements for reporting and publishing information on IoT device cybersecurity vulnerabilities. The Act also notes that, in two years, federal agencies generally will be prohibited from using any IoT device that does not comply with any of the standards issued by NIST.
Contemporaneously with the Act being signed, NIST released Special Publication 800-213, IoT Device Cybersecurity Guidance for the Federal Government.3 The document outlines how IoT devices may fit into a federal agencies’ information systems and the questions that a federal agency must ask when considering IoT devices for use within the agencies. The public may comment on the draft guidance until February 12, 2021.
Even before the Act was signed, NIST had already devoted significant resources to promoting IoT-related guidance. In May 2020, NIST released an interagency report, NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers.4 This document encourages IoT device manufacturers to focus on six foundational cybersecurity activities to improve the securability of the IoT devices that they make:
1. Identify expected customers and users and define expected use cases.
2. Research customer cybersecurity needs and goals.
3. Determine how to address customer needs and goals.
4. Plan for adequate support of customer needs and goals.
5. Define approaches for communicating to customers.
6. Decide what to communicate to customers and how to communicate it.
To help manufacturers with the third activity (determine how to address customer needs and goals), NIST also published NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline.5 That document lists a series of core security activities that IoT devices should implement and includes device identification and configuration controls, data protection safeguards, logical access controls, software updating capabilities, and cybersecurity state awareness. While NIST notes that the cybersecurity capabilities outlined in the baseline do not constitute an exhaustive list, it does provide IoT manufacturers with a starting point for understanding IoT device cybersecurity risk management.
In December 2020, NIST introduced three additional draft interagency reports to help guide IoT manufacturers about devices made for the federal government:
- NIST IR 8259B, IoT Non-Technical Supporting Capability Core Baseline6
- NIST IR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline7
- NIST IR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government8
Like SP 800-213, the public may comment on the draft reports until February 12, 2021.
How Consumers Can Protect Themselves and Their IoT Devices
As the federal government moves to strengthen IoT device security, it stands to reason that eventually more secure devices will make it into the hands of consumers as well. Until then, there are a few things that consumers can do to protect themselves and their IoT devices:
- If you can change the default usernames and passwords on your device. If your IoT devices offer two factor authentication, use it.
- Disable any features of the device that you do not need.
- Understand how the device collects data and limit the amount of data it collects to only what you need to use the device.
- If the device collects a history, consider deleting it regularly.
- Make sure that you install updates promptly when you receive them, especially if the patch is to remedy a security flaw.
- Read the “Terms and Conditions” for services, devices, and apps every single time and understand what you are agreeing to.
To learn more about how the U.S. federal government approaches information security and privacy regulations, see Chapter 8 from Grama, Legal and Privacy Issues in Information Security, Third Edition.
About the Author
Joanna Lyn Grama - JD, CISSP, Vantage Technology Consulting Group, Associate Vice President. Grama is an Associate Vice President at Vantage Technology Consulting Group. She has more than 20 years of experience in higher education with a strong focus on law, IT security policy, compliance, governance, and data privacy issues.