Democrats in the House and Senate on October 23 took another stab to legislate cybersecurity into Internet of Things (IoT) devices, reintroducing the Cyber Shield Act, a voluntary certification program that verifies connected devices as hacker proof.
The Act was first introduced two years ago but drew no Congressional action. As with the earlier bill, the new measure would establish a committee of security experts from academia, industry, consumer advocates and the public to define cybersecurity standards for IoT devices such as baby monitors, cameras, cellphones, laptops and tablets. The idea is to badge IoT manufacturers whose products meet pre-set cybersecurity and data protection benchmarks with a “Cyber Shield” to reassure consumers that an IoT device is relatively secure from cyber attackers.
Senator Edward Markey (D-MA) and Congressman Ted Lieu (D-CA) are again the bill’s sponsors. Now as he did in the legislation’s earlier try for Congressional approval, Markey cautioned that the IoT will also “stand for the Internet of Threats until we put in place appropriate cybersecurity safeguards. With more than 60 billion IoT devices projected to be in our pockets and homes by 2025, cybersecurity continues to pose a direct threat to economic prosperity, privacy, and our nation’s security.” The Cyber Shield Act’s certification will “give consumers a seal of approval for more secure products, as well as encourage manufacturers to adopt the best cybersecurity practices so they can compete in the marketplace for safety,” Markey said.
Lieu, who positioned himself as a “recovering Computer Science major” said “we can’t ignore data security while we encourage technological advancement in every sector of our lives.”
The Cyber Shield Act is endorsed by the Internet Association, Public Citizen, the Massachusetts Tech Leadership Council, and cybersecurity providers Rapid7 and Cybereason.
“Providing consumers with clear information about critical security features in IoT devices will foster market competition based on security, promote innovation in security, and build trust in the security of IoT products,” said Harley Geiger, Rapid7’s director of public policy. Additional support for the bill came from Cybereason’s chief security officer Samuel Curry, who said: “We need to ensure that the next generation of tools is more secure and trustworthy in ways that are simple to adopt in the market as soon as possible and not fall into the same weaknesses that have plagued earlier waves of technology.”
The Cyber Shield Act is not the only proposed bill before Congress to secure IoT devices. In March, lawmakers introduced the bipartisan Internet of Things Cybersecurity Improvement Act of 2019 that would require connected devices procured by the U.S. government to meet certain minimum security criteria. The bill does not extend to consumer equipment. It is similar in scope and requirements to the Internet of Things Cybersecurity Improvement Act of 2017 and the Internet of Things Federal Cybersecurity Improvement Act of 2018, which have not drawn a vote in either chamber.
A year ago, California lawmakers tackled IoT security with a new bill that mandates manufacturers affix unique passwords onto their connected devices. Then Governor Jerry Brown signed the bill into law, making it the first IoT device security regulation to come into effect in the U.S.
Global Internet of Things (IoT) security spending is expected to exceed $1.5 billion this year, according to researcher Gartner.