Cybersecurity for All: How the IoT Cybersecurity Improvement Act Will Impact Government Entities

Cybersecurity made it through Capitol Hill! After its long, long journey to Washington D.C., the Internet of Things Cybersecurity Improvement Act has finally become a law. (Throwback to School House Rock, anyone?) On Dec. 4, the president signed new legislation to mandate security requirements for internet-connected devices and smart sensors purchased by the federal government. This new law will require the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to create and review standards for connected devices which have long been plagued by security and privacy issues.

The new law will require minimum cybersecurity standards for IoT devices, but what exactly will this mean for government agencies deploying IoT?

As we know, setting a minimum security standard for all connected devices purchased by government agencies is no easy feat. But what does all of this mean for government agencies deploying IoT devices?

What’s the big deal?

According to Sen. Gardner, co-chair of the Senate Cybersecurity Caucus, “Most experts expect tens of billions of devices [to be] operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand.” Now more than ever, our world is reliant on digital devices, expanding the potential attack surface. By establishing a clear minimum standard for connected devices for government use, the government will be able to confidently work with contracted manufacturers knowing their data and information will be secure.

Here are some existing challenges with IoT device security that government entities are currently facing:

Malware: Although malware has existed for many years, the rapid growth in the number of IoT devices and the insecure deployment of such devices has made it easier for cybercriminals to infiltrate government agencies through malicious code. For example, in Sept. 2016, Mirai, a botnet code, infected millions of routers and CCTV cameras through compromised devices. This led to an attack against DNS provider Dyn, causing many services to go offline.
Insecure Wi-Fi Connection: While the focus is often on the IoT device itself, vulnerable Wi-Fi connections are just as, if not more, dangerous. As government agencies have been spread thin during the pandemic, many devices have been used on insecure home networks, leaving agencies more vulnerable to attacks.
Unsegmented Networks: When multiple devices are connected over a single, unsegmented network, access to one device can mean access to all. Rather than segmenting a network to separate computers, printers, and other computing and IoT devices, some agencies use a single, unsegmented network that leaves them vulnerable to malware and other attacks through a single source.

What’s next?

Challenges associated with IoT devices will only continue to increase through insecure connections and devices. With cybersecurity standards here to regulate challenges facing our connected world, essential infrastructure may experience a huge facelift in the security arena. After almost three years, the federal government has taken a huge step forward for cybersecurity – and we hope it doesn’t stop here.

Carolina Advanced Digital offers consulting, services, and products for managing IoT security including wireless security, network hardening, Zero Trust Networking, NAC and other dynamic segmentation solutions as well as SOC-as-a-Service and managed security solutions. Most of our solutions are available on convenient procurement contracts such as NASA SEWP V, GSA, and state contracts. For federal buyers, we’re also HUBZone and SDVOSB certified. Contact us today to schedule a call and discuss your needs!