Senate Bill Seeks to Boost IoT Security
Responding to a rash of malware attacks on early and vulnerable Internet of Things devices, lawmakers have stepped forward with a proposal to improve weak IoT cyber-security.
While attempts at legislating technical specs don't always pan out, four U.S. senators are nevertheless proposing legislation that would attempt to shore up standards for IoT, starting with devices used by government agencies. The hope is that the federal effort could be expanded across the U.S.
Among other provisions, the Internet of Things Cybersecurity Act introduced in early August would require that IoT devices purchased by federal agencies meet "certain minimum security requirements," the bill's four sponsors stressed. For example, contractors providing Internet-connected device software or firmware would be required to notify a government customer of known security vulnerabilities uncovered by the vendor.
Further, IoT devices supplied to the government must be programmable to allow for the latest security patches and other updates. That requirement addresses the current approach in which security features installed by manufacturers are tracked and easily exploited by hackers.
The patching provision could help plug one of the biggest holes in IoT devices: millions of unpatched devices ripe for hacking.
"This legislation would establish thorough, yet flexible, guidelines for federal government procurements of connected devices," chief sponsor Sen. Mark Warner (D-Va.) noted in a statement. "My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products."
Sen. Mark Warner, D-Va.
In a nod to standards groups, the legislation required IoT manufacturers to use "industry standard protocols" while eliminating the use of hard-coded passwords that have proven easy for hackers to defeat.
The bill also directs the U.S. Department of Homeland Security to issue guidelines for government contractors regarding the disclosure of device vulnerabilities. The provision addresses the frequent reluctance of vendors to report security vulnerabilities.
The bill also indemnifies cyber-security researchers from liability under various federal laws covering computer fraud and copyright violations.
Some vendors welcomed the Senate proposal. "This is an important step in ensuring better security standards for devices," Mike Bell, executive vice president of IoT and devices at Canonical, noted in a statement.
The open-source software specialist said nearly half of IoT engineers it surveyed said device security is their most immediate challenge. The survey also found that the ability to patch devices remotely would be critical to plugging security gaps. The company's IoT operating system includes remote patching capabilities.
"With the U.S. government’s IoT spending already reaching nearly $9 billion in 2015, any new standards set by Congress will be sure to impact enterprise and consumer vendors," Bell added.
The IoT legislation was co-sponsored by Sens. Corey Gardner (R-Colo.), who along with Warner co-chairs of the Senate Cybersecurity Caucus, along with Steve Danes (R-Mont.) and Ron Wyden (D-Ore.).
