Menu

IoT FEATURE NEWS

US Senators Submit Bipartisan IoT Security Bill

By Ken Briodagh August 02, 2017

On August 1, U.S. Senators Mark R. Warner, Democrat of Virgina, Cory Gardner, Republican of Colorado, Ron Wyden, Democrat of Oregon, and Steve Daines Republican of Montana, introduced bipartisan legislation with the goal of improving the cybersecurity of IoT devices. Warner and Gardner are co-chairs of the Senate Cybersecurity Caucus, The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require that devices purchased by the U.S. government meet certain minimum security requirements.

“While I’m tremendously excited about the innovation and productivity that Internet of Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Senator Warner. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”

Under the terms of the bill, vendors who supply the U.S. government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements. The bill, drafted in consultation with technology and security experts from institutions such as the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, also reportedly will encourage the adoption of coordinated vulnerability disclosure policies by federal contractors and provide legal protections to White Hat security researchers abiding by those policies.

“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices operating on our networks within the next several years,” said Sen. Gardner. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks. This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space. As co-chairs of the Senate Cybersecurity Caucus, Senator Warner and I are committed to advancing our nation’s cybersecurity defenses and this marks an important step in that direction.”

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:

  • Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
  • Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
  • Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
  • Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
  • Require each executive agency to inventory all Internet-connected devices in use by the agency.

“I’ve long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act. This bill is a bipartisan, common-sense step in the right direction. This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company. Enacting this bill would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals,” Senator Wyden said.

“Information is a form of currency,” said Senator Daines. “We need to have to proper safeguards in place to ensure that our information is protected while still encouraging innovation.”

The bill has endorsements from the Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Mozilla, Cloudflare, Neustar, the Niskanen Center, Symantec, TechFreedom, and VMware. For a full list of endorsements, and to read a one-pager on the bill, please click here.

“Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, or spill over to people who aren't the purchasers,” said Jonathan Zittrain, Co-Founder, Harvard University’s Berkman Klein Center for Internet & Society. “This bill deftly uses the power of the Federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products. This will help everyone in the marketplace, including non-governmental purchasers and the vendors themselves, since they'll be encouraged together to take steps to secure their products.”

“The proliferation of insecure Internet-connected devices presents an enormous security challenge,” said Bruce Schneier, Fellow and Lecturer at Harvard Kennedy School of Government. “The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his cosponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government. Additionally, I appreciate Senator Warner's recognition of the critical role played by security researchers and the exemptions included in this legislation for good-faith security research.”

Warner wrote to the Federal Trade Commission (FTC) in July 2016 raising concerns about the security of children’s data collected by Internet-connected “Smart Toys.” In May 2017, the Senator wrote a follow-up letter to Acting FTC Chairwoman Maureen Ohlhausen reiterating his concerns following comments by the Chairwoman that the risks of IoT devices are merely speculative. In response to the Senator’s concerns, the FTC issued updated guidance on protecting children’s personal data in connected toys. Immediately in wake of the Mirai Botnet DDoS attack, Warner wrote the FCC, FTC, and NCCIC to raise concerns about the proliferation of botnets composed of insecure devices, and also wrote to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly in May 2017 asking what steps the Federal Government had taken to defend against WannaCry ransomware.

To read the full bill, click here.

The IoT industry is, and should be, following this bill closely. Mike Bell, EVP of IoT and Devices at Canonical, said of the bill, “This is an important step in ensuring better security standards for devices. Nearly half of IoT professionals surveyed by Canonical highlighted better device security as their most immediate IoT challenge, and the ability to patch devices remotely is crucial in ensuring security holes can be filled quickly, safely and painlessly. And, with U.S. government IoT spending already reaching nearly $9 billion in 2015, any new standards set by Congress will be sure to impact enterprise and consumer vendors.”




Edited by Ken Briodagh

Editorial Director

SHARE THIS ARTICLE
Related Articles

Augusta University Partners with State to Provide Cybersecurity Education and Research

By: Ken Briodagh    7/19/2018

With the opening of the $100-million Georgia Cyber Center on July 10, Augusta will become home to a one-of-a-kind facility designed to improve Georgia…

Read More

AI and the IoT: Bringing the Benefits of a Safer World

By: Special Guest    7/19/2018

The emergence of the IoT is delivering many benefits across many verticals, but it is also providing huge added value to those working in areas deemed…

Read More

Telit and IBM Accelerate Global Industrial IoT Deployments

By: Ken Briodagh    7/18/2018

Telit's deviceWISE IoT platform is now interoperable with the IBM Watson IoT platform

Read More

SensLynx Announces New GPS Tracking Business Model for Independent Resellers

By: Ken Briodagh    7/18/2018

SensLynx introduces all-inclusive program designed to turn sales professionals and existing businesses into fleet/asset tracking entrepreneurs.

Read More

The Intelligent IoT: AI in the Connected Revolution

By: Special Guest    7/18/2018

IoT devices are all around us, and will communicate 400 zettabytes of data by the end of 2018, but an AI component is needed to make sense of all this…

Read More