Insights & Analyses

Bipartisan US Senate group proposes stricter cybersecurity on Internet of Things devices

August 2, 2017

After a rash of botnet attacks took down huge swaths of the internet last year, a bipartisan group of four U.S. senators has proposed new legislation that would mandate better security on connected devices purchased by the government.

The “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” would require devices purchased by the U.S. government meet certain minimum security requirements. The proposed bill would mandate that IoT devices sold to the government are patchable, do not include hard-coded passwords that cannot be changed, and are free of known security vulnerabilities.

The legislation was introduced by the co-chairs of the Senate Cybersecurity Caucus, Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.). Also sponsoring the bill were Sens. Ron Wyden (D-Oreg.) and Steve Daines (R-Mont.).

The bill was drafted in consultation with technology and security experts from the Atlantic Council and the Berklett Cybersecurity Project from Harvard University.

The proposed law would also promote security research by encouraging adoption of coordinate vulnerability disclosure policies by federal contractors, and also provide legal protections to security researchers abiding by such policies.

The growing popularity of IoT devices could be a growing problem: By 2020, there are expected to be some 20.4 billion IoT devices around the world.

Because the devices are designed to be simple and connected, they potentially pose serious security threats.

Perhaps the most prominent example was a coordinated botnet attack, dubbed Mirai, that crippled significant portions of the internet in late 2016. The attack was accomplished by a self-replicating virus that took advantage of weak security protections on cheap IoT devices such as home security cameras.

Author David Birch tackled the ongoing IoT problem at OWI’s first-annual K(NO)W Identity Conference in May, detailing how not only do connected IoT devices need to be secured, but the data they share and transfer as well. In Birch’s view, IoT devices face “a market failure issue” that will require industry coordination.

In the case of the U.S. government, the four senators behind the IoT legislation hope they can perhaps spur industry coordination with a nudge via federal policies. In doing so, the government could help prevent the kind of major security vulnerability that could potentially leave systems open for attack, even exposing personal information about U.S. citizens.

“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” Warner said. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”