Supporters of the recent bill to raise cybersecurity standards in the Internet of Things (IoT) industry have finally achieved their goal after a full year’s work, with the bill having been cleared in both branches of congress Congress on December 4, 2020. The aim is for the legislation to cover the industry and consumer markets for connected devices so as to preserve personal and national cybersecurity. Senator Mark Warner stated that “While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security.
Cybersecurity problems and devices: The weakest link
The Mirai botnet attack, launched by teen scammers, showed the potential harm that unprotected IoT devices can cause. This massively distributed DDoS (Denial of Service) attack wrested the Internet from the hands of residents along the US East Coast. The attack essentially involved bombarding a target server with traffic until it was overwhelmed and went offline. While desktop devices have savvier built-in security, IoT devices often have stripped-down Linux systems that cannot be patched remotely. Since IoT devices are sold at far cheaper prices than desktop computers, their maintenance plans and update speed tend to be lower. Moreover, the number of devices increases yearly, increasing the number of vulnerable endpoints.
Cybersecurity risks in rural locations
People living in remote locations are particularly vulnerable to cybersecurity threats, and although progress in Internet access for rural communities has been made, these communities continue to face specific challenges. These include a lower availability of broadband and a lack of communication lines in remote areas. A lack of IT education and awareness is another problem for rural users – a fact that can threaten education inequality, but also make these populations more likely to succumb to cyber attacks. As found in a study by M Grobler and colleagues, problems such as the inherent vulnerability of IT devices are made worse by a lack of awareness and the failure to install basic security software or take key steps such as protecting passwords, avoiding phishing and other scams, and spotting potential threats early when using IoT devices.
New recommendations required
The bill requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specific steps to reduce the likelihood of attacks on IoT devices. In particular, it calls upon the NIST to develop recommendations for the correct use and management of devices. The NIST and OMB will need to create a guide on policies and procedures for reporting, coordinating, and sharing and receiving information regarding security vulnerabilities relating to IoT devices used by the government.
IoT devices are growing in popularity, with most households in the US having access to one or more types of mobile device. The Mirai botnet attack is indicative of the havoc that can be wreaked when these devices are targeted, owing to their inherently weaker security systems. Rural communities are at a greater risk than urban ones. It is expected that these devices will enjoy stricter control following the establishment and publication of new standards by the NIST and OMB.