US senators introduce bill to tackle IoT device security

A bipartisan group of US senators have introduced legislation to address cyber vulnerabilities in the burgeoning IoT device market.

The Internet of Things Cybersecurity Improvement Act of 2017, as it is known, is sponsored by Republican senators Cory Gardner and Steve Daines, and senators Mark Warner and Ron Wyden from the Democratic Party.

As co-chairs of the Senate Cybersecurity Caucus, Warner and Gardner have an understanding of the sector, but the senators were assisted in their draft by input from those familiar with the technology at the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University.

The Act aims to “provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes,” the bill reads. It would require any company providing IoT devices to the US government to “provide written certification” at the point of proposal that the device does not contain any security vulnerabilities or defects.

It also asserts that IoT devices must have the ability to be patched and that they must not have hardcoded passwords that can’t be changed. Any government department that does purchase a connected device must keep a comprehensive inventory of all devices on their network.

Senators see “enormous” IoT security challenges

Referencing recent Distributed Denial of Service (DDoS) attacks that have affected IoT devices in the last year, such as the WannaCry malware attack that took down the NHS in the UK and the DDoS attack on the Dyn domain name server that blocked user access to popular sites like Twitter, a joint statement said that insecurity of IoT devices presents enormous challenges.

“Sometimes shipped with factory-set, hardcoded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack,” the statement reads.

“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Sen. Warner.

“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”

Details of the bill

Specifically, the senators say the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:

Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
Require each executive agency to inventory all Internet-connected devices in use by the agency.

Thus far, the bill has been endorsed by Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Mozilla, Cloudflare, Neustar, the Niskanen Center, Symantec, TechFreedom, and VMware.