The Internet of Things Network Security Improvement Act will have a huge impact on the construction of the Internet of Things in the United States, and may have an impact on the export of Internet of Things equipment in my country.
On December 4, 2020, the US “Internet of Things Cybersecurity Improvement Act” (Internet of Things Cybersecurity Improvement Act) was officially signed by US President Trump and became US law.After many years and twists and turns, the “Internet of Things Network Security Improvement Law” has finally been officially promulgated. The Internet of Things Network Security Improvement Act will have a huge impact on the construction of the Internet of Things in the United States, and may have an impact on the export of Internet of Things equipment in my country.
1. History of the Internet of Things Network Security Improvement Law
In 2016, attacks such as the Mirai botnet brought down several popular websites and brought attention to the need for security of IoT devices. This has prompted U.S. lawmakers to realize that the U.S. needs to keep up with the exponential growth in data brought about by IoT devices and ensure appropriate security and protection measures.
In 2017, with the help of the Atlantic Council and Harvard University, U.S. Senator Mark Warner, Democrat of Virginia, and Senator Kerry Gardner, Republican of Colorado, introduced a new bill, “Improvements in Internet of Things Cybersecurity”. Act, which seeks to create a framework that would require equipment vendors of the federal government to follow industry-wide security practices, such as ensuring wearables, smart sensors, and other devices have bug fixes, update passwords, and are brought to market without known security breach.The purpose of the bill is to prevent the government from buying Internet-connected devices with a few apparent security flaws,But the bill was ultimately not passed due to various reasons.
On March 11, 2019, U.S. lawmakers reintroduced the Internet of Things Cybersecurity Improvement Act (HR 1668) to Congress, which passed the establishment of minimum security standards for all IoT devices purchased by U.S. government agencies ways to address its associated cyber risks. At the introduction stage, the bill received support from Rep. Will Hurd (R-Texas), Rep. Robin Kelly (D-Illinois), and Sen. Mark Warner (D-V. Warner, and Colorado Republican Rep. Cory Gardner.The bill is the original version of the Internet of Things Cybersecurity Improvement Act.
On September 14, 2020, the U.S. House of Representatives passed the IoT Cybersecurity Improvement Act (HR 1668) and submitted it to the Senate for consideration. On November 17, 2020, the Senate passed the IoT Cybersecurity Improvement Act unamended, sending it to the White House for the President to sign. On December 7, 2020, President Trump formally signed the Internet of Things Cybersecurity Improvement Act into law.
2. Contents of the Internet of Things Network Security Improvement Law
The IoT Cybersecurity Improvement Act requires the National Institute of Standards and Technology (NIST) to publish standards and guidelines for federal government use of IoT devices, and directs the White House Office of Management and Budget (OMB) to review government policies to ensure they comply with NIST guidelines , federal agencies will not be allowed to purchase IoT devices that do not meet security requirements. In the Act, the definition of the Internet of Things is aligned with the definition of the Internet of Things in the document “Recommendations to Internet of Things Device Manufacturers: Baseline Activities and Core Device Cybersecurity Capabilities” as “the ability to work independently, own a network interface, a device that has at least one sensor (sensor or actuator) for direct interaction with the physical world”, which is very broad. At the same time, the bill establishes the level of responsibility for protecting federal agencies from cyberattacks, with the executive branch, the Office of Management and Budget, the Secretary of Homeland Security, and the heads of each of these agencies jointly responsible for overseeing the development of the National Institute of Standards and Technology (NIST) IoT Security Standards. The law also requires U.S. federal agencies and vendors to use only devices that meet specified standards, and to notify agencies, among others, of known vulnerabilities affecting devices.
The signing of the “Internet of Things Cybersecurity Improvement Act” represents an important step in the US network security, which can ensure the security of the US government’s Internet of Things devices to a large extent, and also means that the United States will target the Internet of Things devices. A closer review, whether it will have an impact on the export of my country’s Internet of Things equipment remains to be seen.
3. Full text of the law