US Senators Cory Gardner and Mark Warner, co-chairs of the Senate Cybersecurity Caucus, as well as Senators Ron Wyden and Steve Daines, have introduced legislation to improve the cybersecurity of internet-connected devices purchased by the US government.
Under the terms of The Internet of Things (IoT) Cybersecurity Improvement Act of 2017, vendors who supply the US government with connected devices would have to ensure the devices are patchable, do not include hard-coded passwords that can’t be changed and are free of known security vulnerabilities, among other requirements.
Reuters reports companion legislation from the House of Representatives is coming soon.
According to a press release from Gardner, the IoT is expected to include over 20bn devices by 2020. And while these devices offer big benefits, they also present sizable challenges, such as creating weak points in network security that leave them susceptible to attack. This, in turn, makes the government, as well as brands and consumers, far more vulnerable, whether they realize it or not.
Over the past year, IoT devices have been used to launch Distributed Denial of Service (DDoS) attacks against websites, web-hosting servers and internet infrastructure providers, the release said.
“As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks,” Gardner said in a statement. “This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space.”
In his own statement, Warner added, “My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
Indeed, Bruce Schneier, fellow and lecturer at the Harvard Kennedy School of Government, noted the market has no incentive to provide security on its own.
The bill also promotes security research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers abiding by those policies.
For his part, Doug Kramer, general counsel at security company Cloudflare, pointed to the internet outages caused last year by devices infected with the Mirai malware, which he said highlighted the need for “more robust discussions about securing IoT devices."
And, he said, “This bill should open an important dialogue on those issues.”
In January, the Federal Trade Commission (FTC) offered a $25,000 prize in a contest that also sought solutions for security weaknesses in the IoT.