New Bill could make security a vendor’s obligation


The Internet of Things (Iot) Cybersecurity Improvement Act of 2017 could require vendors to provide internet-connected equipment to the US government that is patchable and that conforms with industry security standards. Additionally, no devices can be supplied that have unchangeable passwords or possess known security vulnerabilities.

The bipartisan bill introduced into the U.S. Senate on Aug. 1 ” is an important step in raising awareness and accountability for the internet of things manufacturers,” said Tracie Grella, global head of cyber risk insurance for American International Group Inc. in New York.

“It’s focused on manufacturers that are supplying to the federal government, but that’s a great step because the requirements and security controls could trickle down to all their products which are available for the private sector and consumers.”

The significance of the bill is that it highlights just how important IoT device security is and how much of a threat IoT security vulnerabilities can be, particularly as these are devices built as day-to-day consumer products, without security being top of mind.

“They’re being built with overall usability and not security, so I think this (bill) is a positive step, especially with regard to equipment that’s going to be provided to the government,” Ryan Gibney, Northeast cyber technology practice leader for Lockton Cos.

According to Gartner, more than 8.4 devices will be connected via the IoT by 2017, a 31% increase from 2016. Total devices are expected to reach 20.4 billion by 2020.

According to Business Insurance: “In July, news accounts described how hackers tried to steal data from an unnamed North American casino through a fish tank that had been connected to the internet to feed the fish and keep their environment comfortable. Although extra security had been set up on the fish tank, hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped.”

“The internet of things really broadened the attack surface for cyber hackers,” said senior vice president with Marsh’s cybersecurity practise, Matthew McCabe: “At one point, it was attacking the network, but now every device that you’re used to seeing in a home or business seemingly can be attached to the internet for purposes of efficiency or convenience. But all these create new points of vulnerability. We’re trying to do security catch-up at this point, and it’s hard to do catch-up because the genie’s already out of the bottle.”

Story originally published in a slighty different format in Business Insurance