US Congress passes bipartisan act to improve IoT security

And it only took them three years

The US Senate has unanimously passed a bipartisan bill that aims to bolster the security of IoT devices for government use.

Bill H.R.1668 - the IoT Cybersecurity Improvement Act of 2020 - mandates minimum security requirements for IoT devices purchased by the American federal agencies.

Under the new legislation, the National Institute of Standards and Technology (NIST) will write new standards for the development, patching and management of IoT devices. Vendors will also be required to bring in a formal process for reporting and patching vulnerabilities.

Before purchasing IoT devices, government agencies will ensure that what they are buying adheres to the NIST recommendations.

The idea is to shield federal agencies from cyber-espionage campaigns, and to use the purchasing power of the government to encourage vendors to adopt the same standards.

Some states, like Oregon and California, have already introduced laws to this effect, but the passage of the bill at the federal level will - it is hoped - encourage the IoT industry to create new device security standards.

The IoT industry is notoriously lax when it comes to security. Many devices are sold without passwords, or with default passwords that do not need to be changed before the device can be used. Stories of attackers targeting the IoT are becoming more common every year.

The IoT Cyber Security Act mandates that federal acquisition rules must be updated regularly to reflect new security guidelines and standards. Federal agencies will not be allowed to purchase or renew contracts for devices that fail to meet these guidelines.

Sens. Cory Gardner (R-Colo.) and Mark Warner (D-Va.) first introduced the bill in 2017. Congresswoman Robin Kelly (D-Illinois) reintroduced it last year.

The US Chamber of Commerce initially opposed the bill, arguing that that the law would be too burdensome on industry. The sponsors worked on the proposals to ease the concerns of the group, and after more than three years of bipartisan effort, it was passed unanimously in the House of Representatives in September. It has now also passed the Senate.

In a statement issued after the bill's passage, Kelly said that that the new law "will ensure that the US government purchases secure devices and closes existing vulnerabilities to protect our national security and the personal information of American families".

The bill is now off to the White House for the President's signature. President Trump is not likely to oppose the bill, considering the fact that not a single vote was cast against the legislation.

In absence of a veto, Trump can either sign it, or it will simply become a law after 10 days.

The UK government is also in the planning stages for similar regulations or laws aimed at IoT security.