Democrats have taken another stab to legislate cybersecurity into Internet of Things (IoT) devices, reintroducing the Cyber Shield Act, a voluntary certification program that allow manufacturers to verify their connected devices as hacker proof.
The bill was first introduced in 2017 and again in 2019, with this latest attempt again sponsored by Senator Edward J. Markey (D-MA) and Congressman Ted Lieu (D-CA). The Act, which doesn’t seem so controversial as to be repeatedly denied a floor vote, establishes cybersecurity benchmarks for IoT devices based on standards set by an advisory committee of cybersecurity experts from academia, industry, consumer groups, government and the public.
Devices such as baby monitors, home assistants, smart locks, cameras, cell phones and laptops would carry an emblem to certify compliance. IoT manufacturers sporting the mark would convey to the public that their products were secure to use.
“The IoT will also stand for the Internet of Threats until we put in place appropriate cybersecurity safeguards,” Markey said, in reiterating his remarks supporting the 2019 bill. “With as many as 75 billion IoT devices projected to be in our pockets and homes by 2025, cybersecurity continues to pose a direct threat to economic prosperity, personal privacy, and global security,” he said. “By creating a cybersecurity certification program, the Cyber Shield Act will give consumers a seal of approval for more secure products, as well as encourage manufacturers to adopt the best cybersecurity practices so they can compete in the marketplace for safety.”
Lieu said the bill will bring cybersecurity for IoT devices to “top of mind” for manufacturers and consumers. “For every smart refrigerator or wifi-enabled baby monitor, there comes increased cybersecurity risks that make consumers vulnerable to hacking and invasions of privacy,” he said.
The measure has drawn support from security providers and industry associations, including Public Citizen, the Massachusetts Tech Leadership Council, Rapid7, Cybereason, Internet Association, the Institute for Critical Infrastructure Technology and the Center for Democracy & Technology.
“Securing the wave of IoT devices that we expect in consumer and enterprise products is critical to protect consumers, to safeguard the public, and to avoid what amounts to digital pollution in the coming years,” said Samuel Curry, Cybereason chief security officer, in supporting the bill. Greg Nojeim, the Security & Surveillance Project of the Center for Democracy & Technology director, said the Act “establishes a process through which consumers will learn which IoT devices meet key security standards and which may not.”
The pace of new IoT cybersecurity bills has picked up in the last two years. Last December, former President Trump signed into law the Internet of Things Cybersecurity Act of 2020, requiring all computers, mobile devices and other systems connected to the internet to adhere to minimum security guidelines issued by the National Institute of Standards and Technology (NIST). Under the measure, device makers in the federal government’s procurement supply chain must inform agencies of any known vulnerabilities that hackers could exploit.
In 2018, then California Governor Jerry Brown signed into law a bill mandating manufacturers affix unique passwords onto their connected devices, making it the first IoT device security regulation to come into effect in the U.S.