Menu

IoT FEATURE NEWS

US Senators Submit Bipartisan IoT Security Bill

By Ken Briodagh August 02, 2017

On August 1, U.S. Senators Mark R. Warner, Democrat of Virgina, Cory Gardner, Republican of Colorado, Ron Wyden, Democrat of Oregon, and Steve Daines Republican of Montana, introduced bipartisan legislation with the goal of improving the cybersecurity of IoT devices. Warner and Gardner are co-chairs of the Senate Cybersecurity Caucus, The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require that devices purchased by the U.S. government meet certain minimum security requirements.

“While I’m tremendously excited about the innovation and productivity that Internet of Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Senator Warner. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”

Under the terms of the bill, vendors who supply the U.S. government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements. The bill, drafted in consultation with technology and security experts from institutions such as the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, also reportedly will encourage the adoption of coordinated vulnerability disclosure policies by federal contractors and provide legal protections to White Hat security researchers abiding by those policies.

“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices operating on our networks within the next several years,” said Sen. Gardner. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks. This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space. As co-chairs of the Senate Cybersecurity Caucus, Senator Warner and I are committed to advancing our nation’s cybersecurity defenses and this marks an important step in that direction.”

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:

  • Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
  • Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
  • Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
  • Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
  • Require each executive agency to inventory all Internet-connected devices in use by the agency.

“I’ve long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act. This bill is a bipartisan, common-sense step in the right direction. This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company. Enacting this bill would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals,” Senator Wyden said.

“Information is a form of currency,” said Senator Daines. “We need to have to proper safeguards in place to ensure that our information is protected while still encouraging innovation.”

The bill has endorsements from the Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Mozilla, Cloudflare, Neustar, the Niskanen Center, Symantec, TechFreedom, and VMware. For a full list of endorsements, and to read a one-pager on the bill, please click here.

“Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, or spill over to people who aren't the purchasers,” said Jonathan Zittrain, Co-Founder, Harvard University’s Berkman Klein Center for Internet & Society. “This bill deftly uses the power of the Federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products. This will help everyone in the marketplace, including non-governmental purchasers and the vendors themselves, since they'll be encouraged together to take steps to secure their products.”

“The proliferation of insecure Internet-connected devices presents an enormous security challenge,” said Bruce Schneier, Fellow and Lecturer at Harvard Kennedy School of Government. “The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his cosponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government. Additionally, I appreciate Senator Warner's recognition of the critical role played by security researchers and the exemptions included in this legislation for good-faith security research.”

Warner wrote to the Federal Trade Commission (FTC) in July 2016 raising concerns about the security of children’s data collected by Internet-connected “Smart Toys.” In May 2017, the Senator wrote a follow-up letter to Acting FTC Chairwoman Maureen Ohlhausen reiterating his concerns following comments by the Chairwoman that the risks of IoT devices are merely speculative. In response to the Senator’s concerns, the FTC issued updated guidance on protecting children’s personal data in connected toys. Immediately in wake of the Mirai Botnet DDoS attack, Warner wrote the FCC, FTC, and NCCIC to raise concerns about the proliferation of botnets composed of insecure devices, and also wrote to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly in May 2017 asking what steps the Federal Government had taken to defend against WannaCry ransomware.

To read the full bill, click here.

The IoT industry is, and should be, following this bill closely. Mike Bell, EVP of IoT and Devices at Canonical, said of the bill, “This is an important step in ensuring better security standards for devices. Nearly half of IoT professionals surveyed by Canonical highlighted better device security as their most immediate IoT challenge, and the ability to patch devices remotely is crucial in ensuring security holes can be filled quickly, safely and painlessly. And, with U.S. government IoT spending already reaching nearly $9 billion in 2015, any new standards set by Congress will be sure to impact enterprise and consumer vendors.”




Edited by Ken Briodagh

Editorial Director

SHARE THIS ARTICLE
Related Articles

IoT Time Podcast S.2 Ep. 57 Unisys

By: Ken Briodagh    12/13/2017

In this episode of IoT Time, Ken Briodagh sits down with Bill Searcy, VP, Global Justice, Law Enforcement, and Border Security, Unisys (unisys.com/saf…

Read More

Canadian Municipalities Get Funding for 72 Infrastructure Improvements

By: Ken Briodagh    12/13/2017

The Canadian Infrastructure and Communities ministry and the Federation of Canadian Municipalities have announced funding for 72 Smart City initiative…

Read More

Hardware-Based IoT Security: Consider Your Options

By: Special Guest    12/13/2017

Risk vs. Reward - a tradeoff that factors into every business decision.

Read More

IoT and Cleantech Join Forces on Clean Energy

By: Special Guest    12/13/2017

The Internet of Things plays an important role in the adoption of clean technology and transforming operations and processes adjusted to the new envir…

Read More

Synopsys Buys Black Duck Software

By: Ken Briodagh    12/13/2017

Synopsys has completed its long-expected acquisition of Black Duck Software, a privately held automated solutions developer for securing and managing …

Read More