A bipartisan group of US senators has introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, which seeks to impose baseline cybersecurity standards for IoT devices sold to the US government. Notably, the bill does not apply to consumer devices, but it is anticipated that this is just a first step in a long road to the regulation of security and privacy in IoT devices.
The bill, which was introduced by US Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Senators Ron Wyden (D-WA) and Steve Daines (R-MT), broadly defines "Internet-Connected Device" to mean "a physical object that—(A) is capable of connecting to and is in regular connection with the Internet; and (B) has computer processing capabilities that can collect, send, or receive data." Thus, the reach of the legislation would be quite broad notwithstanding its limitation to devices placed with government agencies.
The bill implements the baseline security requirements by requiring the Director of the Office of Management and Budget to coordinate with certain government agencies to prepare and issue guidelines regarding the security of IoT devices placed with federal agencies.
While the Director retains discretion to set forth additional guidelines, the bill outlines certain provisions that the Director must include in the required guidelines. For example, the bill requires the Director to implement guidelines regarding a number of contractual clauses that each federal agency is required to include in its contracts for the acquisition of Internet-connected devices. According to the bill's provisions, one such clause requires a contractor supplying the IoT device to provide written certification that the device does not suffer from known security vulnerabilities listed in the National Vulnerability Database of the National Institute of Standards and Technology (NIST) or other databases that contain similar information, as determined by the Director. Another required clause requires a contractor to report security vulnerabilities that arise after the device has been placed with the purchasing agency.
Yet another clause requires contractors to certify that the device "relies on software or firmware components capable of accepting properly authenticated and trusted updates from the vendor," and another imposes affirmative obligations on the contractor to update or replace IoT device software or firmware components to address ongoing security vulnerabilities, requirements that would, if the bill is enacted, force the hand of manufacturers to remedy a rampant issue with many IoT devices – the inability and/or willful failure of manufacturers to update software and firmware components in IoT devices.
In addition to the mandated guidelines, the Bill would afford protections to third-party "grey hat" researchers who engage in research designed to expose cybersecurity flaws in IoT devices that have been provided by a contractor to a US department or agency. The bill exempts such cybersecurity researchers from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when engaged in research pursuant to coordinated vulnerability disclosure guidelines that would be implemented if the legislation is enacted.
In a press release, Senator Warner explained that while he was "tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash," he has "long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place." Senator Warner expressed the hope that the legislation will "encourage device manufacturers to compete on the security of their products."
As noted, the bill applies only to companies and government contractors that are selling to the US government, but Warner has stated publicly that he hopes the bill's requirements will lead to similar improvements in the consumer IoT device market.