A man works from home with several computers and a calculator.

Barry Argento, the 403rd Wing comptroller and budget officer, takes notes while working from home in March.)

ALBUQUERQUE – When the pandemic forced federal workers to work remotely, this dramatically expanded the possible attack surface on networks. No one should have been surprised. Experts have warned for years about the hazards posed by devices like Internet-ready fridges. To try and tighten things up, Congress is likely to move on an Internet of Things Cybersecurity Law in the next two to three weeks, said Mark Montgomery, executive director of the congressionally-mandated Cyberspace Solarium Commission.

“We saw that with the workforce at home, household Internet of Things devices — particularly household routers — have become vulnerable but really important pieces of our National Cyber ecosystem,” said Montgomery. “They expand our adversary’s attack surface he can hit.”

What is different, now, is that the scale of remote work in the face of the COVID-19 pandemic makes the hazard too big to ignore. After years and years and years of inaction on cyber infrastructure, it appears Congress might actually act.

Congress established the Cyberspace Solarium with the 2019 NDAA to fill a void in strategic thinking. Its first report was published in March 2020. Once the pandemic struck and the scale of the cyber threat became obvious, the commission published a pandemic annex in June.

“This is going to be hard in my opinion, one of the hard laws to pass because it can get pretty open ended,” Montgomery said. “To ensure that the manufacturers of IoT devices would build basic security measures into the products they sell, we thought Congress needed to pass this IoT security law, and the law should focus on known challenges like insecurities and Wi Fi routers, and mandate that these devices have reasonable security measures, such as those that NIST has put out.”

Montgomery spoke Aug. 20 on a cybersecurity panel hosted by AT&T. The panelists included government and industry cybersecurity experts who expressed a consensus that, while many of the present vulnerabilities predate the pandemic, the crisis has exacerbated risks, and demonstrated the potential stakes of failing to prevent an attack that incapacitates modern internet infrastructure.

“This is a hard law to write, it can very quickly get into something that the FTC can’t regulate,” said Montgomery.

In its current form, Montgomery believes the law should focus on ensuring that devices designed to connect to the Internet should include NIST cybersecurity standards. The law will likely allow the FTC to mandate that manufacturers ensure the internet-connected devices they make can be patched remotely. This would allow security holes to be plugged as soon as they are discovered.

The legislation will try to address flaws in how devices are authenticated. Devices that automatically authenticate with built-in default passwords provide a false sense of security. Many users do not change the default passwords or even know there are default passwords to change.

“We had to pick someone to pin the tail on, somebody to enforce this and the FTC was the logical choice,” said Montgomery. “You’ll see that law coming out over the next couple of weeks and it’s going to take a lot of public comment, and it’s going to take a lot of work with federal agencies with probably six to seven committees in the House and seven or eight committees in the Senate. So what I’m saying there is this is gonna be a long drawn out process.”

It remains to be seen what the final, or even initial, form of this new legislation looks like.