Pending Legislation Will Change How the U.S. Government Buys Internet of Things Devices

Distributed Denial of Service (DDoS) attacks of increasing frequency and severity are threatening both the public and private sectors in the United States and across the world. Many of these attacks employ Internet of Things (IoT) devices – hijacked with malware – to disrupt their targets with a flood of unwanted connection attempts. During the October 2016 cyber assault on the domain name service provider Dyn, hundreds of thousands of such commandeered appliances overwhelmed the company with Internet traffic. Earlier in the year, a college student and his two friends had infected security cameras, wireless routers, and other Internet-connected devices, assembling them into the “Mirai botnet.” After the original authors publicly posted their weaponized command-and-control code, a still-unidentified third party used it to then launch its own DDoS attack against Dyn.

 

Understanding the threat posed by insecure IoT devices, the United States Senate is taking steps to ensure that federal equipment and networks do not serve as unwilling soldiers in a future botnet army. The eponymous Internet of Things Cybersecurity Improvement Act (IoTCIA) of 2017 is one such measure that, if signed into law, will impose new requirements on companies that sell to the government. If certain stipulations of the bill remain, the Armored Things solution will be able to help customers meet some of the new standards that the draft legislation might eventually require.

 

Armored Things and “mitigation actions” under the IoTCIA

Developing a product free of both software and hardware vulnerabilities should be any IoT device manufacturer’s objective. One key IoTCIA provision requires that all companies selling to the government certify that their systems do not contain any known flaws. With the need to adapt to changing technologies and rapidly bring new products to market, however, meeting this standard is a significant challenge. Furthermore, expensive overhauls of large numbers of relatively cheap devices – such as security cameras – that have already-identified vulnerabilities might not be economical or feasible.

 

Thankfully, the IoTCIA allows for waivers in these situations, allowing federal agencies to purchase such devices provided that the seller take reasonable “mitigation actions that may limit or eliminate the ability for an adversary to exploit the vulnerability.” By detecting and helping to remediate threats to IoT devices as part of a broader incident response solution, Armored Things will be able to assist device manufacturers in becoming IoTCIA compliant without expensive physical or digital modifications to their products.

 

Conclusion

Although the IoTCIA remains in committee proceedings in the Senate and may evolve throughout the legislative process, the intent of lawmakers to fix potential vulnerabilities in IoT devices sold to the federal government is clear. Having witnessed a wave of DDoS attacks and other incidents resulting from insecure Internet-connected machines, at least some legislators have come to realize the importance of securing IoT devices sold to the government. All companies currently or prospectively selling items covered by the proposed law should thus take affirmative steps to ensure they can meet the increasingly stringent requirements that such new legislation might impose.

Jaclyn Shepherd