Earlier this month, Senators from both sides of the aisle introduced the “Internet of Things Cybersecurity Improvement Act of 2017,” outlining new security requirements for vendors who supply the U.S. Government with IoT devices. The bill was proposed by U.S. Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Senators Ron Wyden (D-OR) and Steve Daines (R-MT).
In a Press Release for the bill, Senator Warner notes that the sheer number of IoT devices – expected to exceed 20 billion devices by 2020 – presents increasing opportunities for cyberattacks. “While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Senator Warner. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:
- Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
- Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
- Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
- Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
- Require each executive agency to inventory all Internet-connected devices in use by the agency.
While this bill is aimed at U.S. Government vendors, the growing concern related to IoT device security is not limited to federal procurements. Michelle Richardson, Deputy Director of the Freedom, Security and Technology Project, Center for Democracy and Technology describes this bill as an “important first step” and others speculate that the bill may have a ripple effect on companies manufacturing IoT devices for private consumers. With the rapid advancements in IoT devices and the increased sophistication of cyberattacks, securitization of these devices will continue to be a moving target, however, this bill may mark a first step in a trend toward increased legislative focus on the overall security of the Internet of Things.