Matthew Rosenquist
Member
The Internet of Things Cybersecurity Improvement Act of 2017 is proposed legislation intending to require basic best-practices for cybersecurity when the government is looking to purchase products. It imposes certain design requirements and capabilities to enhance overall security.
It includes nontrivial vendor constraints things like:
This legislation, if approved, will put limitations on what systems the U.S. government can consider procuring. Therefore, vendors who want such customers will need to be more responsible when it comes to designing in security to their products.
Recently the U.S. Army has ordered troops to stop using drones made by a major Chinese manufacturer, citing cyber vulnerabilities.
I support good security practices but in general feel legislation is a poor safety-net to make them commonplace. It shouldn’t be necessary. Sadly, I recognize that when the industry ignores the basics, market customers such as governments, may be forced to set their own standards for purchases.
I expect other governments and sectors like finance, healthcare, and critical infrastructure to also incorporate these guidelines in their procurement requirements. If other markets follow suit, it may be a harsh wake-up call for IoT vendors that security is as important as quality.
Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Steemit to hear insights and what is going on in cybersecurity.
It includes nontrivial vendor constraints things like:
- Vendors cannot release products with known vulnerabilities.
- Systems must be architected so they can be patched in the future when new vulnerabilities are discovered.
- Designs are prohibited from embedding fixed passwords that cannot be reset or changed.
This legislation, if approved, will put limitations on what systems the U.S. government can consider procuring. Therefore, vendors who want such customers will need to be more responsible when it comes to designing in security to their products.
Recently the U.S. Army has ordered troops to stop using drones made by a major Chinese manufacturer, citing cyber vulnerabilities.
I support good security practices but in general feel legislation is a poor safety-net to make them commonplace. It shouldn’t be necessary. Sadly, I recognize that when the industry ignores the basics, market customers such as governments, may be forced to set their own standards for purchases.
I expect other governments and sectors like finance, healthcare, and critical infrastructure to also incorporate these guidelines in their procurement requirements. If other markets follow suit, it may be a harsh wake-up call for IoT vendors that security is as important as quality.
Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Steemit to hear insights and what is going on in cybersecurity.