On August 1, U.S. Senators Mark R. Warner, Democrat of Virgina, Cory Gardner, Republican of Colorado, Ron Wyden, Democrat of Oregon, and Steve Daines Republican of Montana, introduced bipartisan legislation with the goal of improving the cybersecurity of IoT devices. Warner and Gardner are co-chairs of the Senate Cybersecurity Caucus, The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require that devices purchased by the U.S. government meet certain minimum security requirements.
“While I’m tremendously excited about the innovation and productivity that Internet of Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Senator Warner. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
Under the terms of the bill, vendors who supply the U.S. government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements. The bill, drafted in consultation with technology and security experts from institutions such as the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, also reportedly will encourage the adoption of coordinated vulnerability disclosure policies by federal contractors and provide legal protections to White Hat security researchers abiding by those policies.
“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices operating on our networks within the next several years,” said Sen. Gardner. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks. This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space. As co-chairs of the Senate Cybersecurity Caucus, Senator Warner and I are committed to advancing our nation’s cybersecurity defenses and this marks an important step in that direction.”
Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:
“I’ve long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act. This bill is a bipartisan, common-sense step in the right direction. This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company. Enacting this bill would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals,” Senator Wyden said.
“Information is a form of currency,” said Senator Daines. “We need to have to proper safeguards in place to ensure that our information is protected while still encouraging innovation.”
The bill has endorsements from the Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Mozilla, Cloudflare, Neustar, the Niskanen Center, Symantec, TechFreedom, and VMware. For a full list of endorsements, and to read a one-pager on the bill, please click here.
“Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, or spill over to people who aren't the purchasers,” said Jonathan Zittrain, Co-Founder, Harvard University’s Berkman Klein Center for Internet & Society. “This bill deftly uses the power of the Federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products. This will help everyone in the marketplace, including non-governmental purchasers and the vendors themselves, since they'll be encouraged together to take steps to secure their products.”
“The proliferation of insecure Internet-connected devices presents an enormous security challenge,” said Bruce Schneier, Fellow and Lecturer at Harvard Kennedy School of Government. “The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his cosponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government. Additionally, I appreciate Senator Warner's recognition of the critical role played by security researchers and the exemptions included in this legislation for good-faith security research.”
Warner wrote to the Federal Trade Commission (FTC) in July 2016 raising concerns about the security of children’s data collected by Internet-connected “Smart Toys.” In May 2017, the Senator wrote a follow-up letter to Acting FTC Chairwoman Maureen Ohlhausen reiterating his concerns following comments by the Chairwoman that the risks of IoT devices are merely speculative. In response to the Senator’s concerns, the FTC issued updated guidance on protecting children’s personal data in connected toys. Immediately in wake of the Mirai Botnet DDoS attack, Warner wrote the FCC, FTC, and NCCIC to raise concerns about the proliferation of botnets composed of insecure devices, and also wrote to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly in May 2017 asking what steps the Federal Government had taken to defend against WannaCry ransomware.
To read the full bill, click here.
The IoT industry is, and should be, following this bill closely. Mike Bell, EVP of IoT and Devices at Canonical, said of the bill, “This is an important step in ensuring better security standards for devices. Nearly half of IoT professionals surveyed by Canonical highlighted better device security as their most immediate IoT challenge, and the ability to patch devices remotely is crucial in ensuring security holes can be filled quickly, safely and painlessly. And, with U.S. government IoT spending already reaching nearly $9 billion in 2015, any new standards set by Congress will be sure to impact enterprise and consumer vendors.”
In this episode of IoT Time, Ken Briodagh sits down with Bill Searcy, VP, Global Justice, Law Enforcement, and Border Security, Unisys (unisys.com/saf…
The Canadian Infrastructure and Communities ministry and the Federation of Canadian Municipalities have announced funding for 72 Smart City initiative…
Risk vs. Reward - a tradeoff that factors into every business decision.
The Internet of Things plays an important role in the adoption of clean technology and transforming operations and processes adjusted to the new envir…
Synopsys has completed its long-expected acquisition of Black Duck Software, a privately held automated solutions developer for securing and managing …