IT security professionals have to worry about defending against ever-evolving cyber threats and, increasingly, the C-suite has to worry about following cybersecurity laws. The year 2018 will be marked by increasing regulations, and discussions about regulations, that are intended to protect cyberspace. In the US, the next wave of National Institute of Standards and Technology (NIST) guidelines could impact how Federal agencies safeguard the information contained in their systems and ensure that these systems operate securely and reliably. In addition, there is increasing talk among politicians and federal agencies about whether and how to hold IoT device manufacturers to build more secure IoT devices, which would make it harder for hackers to harness those devices into botnets that are then used to launch distributed denial of service (DDoS) attacks.
The idea behind the proposed Internet of Things (IoT) Cybersecurity Improvement Act of 2017) is that if IoT manufacturers build in better security, then end-users won’t have as much responsibility to install updates and change default passwords. But if this bill ever gets passed by Congress, by the time that happens billions of new, unsecured IoT devices worldwide will already be produced, and hackers will have harnessed millions of them into zombie botnet armies. The US government can influence or regulate only US manufacturers. It’s not a bad idea to enforce better IoT devices, because it will help reduce the number of vulnerable IoT devices. However, it won’t eliminate the problem of IoT botnets.
By far the most pressing regulation is already set in motion, and it will go into effect near the end of May 2018; that is, Europe’s General Data Protection Regulation (GDPR). Organizations around the world who have European data in their systems are no doubt scrambling to make sure that they comply with this far-reaching set of regulations. For more on this topic see “Personal Data Security a Priority with New EU Regulations.”