Proposed IoT Security Bill Doesn’t Go Far Enough



By: Delia J. Smith

Earlier this month, four U.S. senators introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. This piece of legislation seeks to establish minimum cybersecurity standards for federally procured Internet of Things devices. It defines a device as a physical object that can connect to – and regularly connects with – the Internet and “has computer processing capabilities that can collect, send or receive data.”

In a nutshell, the act would require vendors to certify that IoT devices they are selling to the U.S. government:

  • have no known vulnerabilities;
  • can be properly authenticated and updated in a trustworthy fashion;
  • use current industry standards for communications, encryption, and interconnections;
  • eliminate fixed passwords.

The bill is endorsed by numerous legislative technology groups and companies. Cybersecurity researcher Nicholas Weaver calls it a “solid piece of common-sense legislation.”

The act is a noble effort and may well pass. However, it won’t adequately protect our nation’s IoT devices because, all too often, a device has a software weakness unknown to the vendor. It’s called a zero-day vulnerability. Hackers patiently and deliberately search for these holes because, once one is found, it can be exploited to access user information or infiltrate malware and spyware. Only after the user discovers the breach – which can take months if not years – can developers hurriedly develop a “patch” to repair the software’s weak point.

To understand the severity of zero-day vulnerabilities, consider these statistics:

Here’s another drawback to the bill. As detailed in this article and this article and this report, quite often hacks are not the fault of the device. Human error, stolen credentials and poor patch management can also be the cause. In fact, the largest hack in U.S. government history – the Office of Personnel Management breach – was initiated when a hacker stole the credentials of a government contractor.

And, as a February 2017 report by the U.S. Government Accountability Office found, federal agencies “consistently fail to apply critical security patches on their systems in a timely manner, sometimes doing so years after the patch becomes available.”

At Dispersive, we create software networks that feature highly advanced techniques that can help secure IoT devices from unauthorized access. It’s technology that can change the way you use the Internet.

We welcome the chance to talk with you – or anyone in Congress who may be interested – about all this. To get the conversation started, just email us at or call us at 1-844-403-5852.

Similar Blogs

Resilience in Motion

Resilience in Motion

Last weekend a number of people and businesses experienced widescale service disruption, network slowdowns, and other issues as a leading carrier grappled with significant challenges with their network.

read more
The Future of Industrial IoT Networking Secures Edge Cloud Computing and Data

The Future of Industrial IoT Networking Secures Edge Cloud Computing and Data

Dispersive announced last week it has developed a combined offering with ClearBlade, a pioneer and fast-growing Industrial IoT software and platform company delivering sophisticated connected systems for large enterprises. We’ve been working together in our labs and behind the scenes to bundle ClearBlade’s award-winning and widely deployed IIoT solutions (which support edge, cloud and enterprise systems, big data collection, analytics and real time control systems), to make it easier for customers to benefit from zero-touch commissioning, management, and zero-trust networking.

read more