US senators propose law change on security for IoT devices
August 3, 2017
Two US senators – one Democrat and one Republican – are trying to force companies selling IoT devices to adhere to new security standards.
Called the Internet of Things Cybersecurity Improvement Act of 2017, the bill has been put forward by Democrat Mark Warner from Virginia and Republican Cory Gardner from Colorado.
The bill specifically target internet-connected devices being bought be Federal agencies. It calls for a clause in any purchase agreement that confirms that any hardware, software or firmware does not contain any known security vulnerabilities or defects.
“While I’m tremendously excited about the innovation and productivity that internet-of-things devices will unleash, I have long been concerned that too many internet-connected devices are being sold without appropriate safeguards and protections in place,” said Warner. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
The equipment must rely on software or firmware that can accept properly authenticated and trusted updates from the vendor. And it must use non-depreciated industry-standard protocols and technologies for communications, encryption and interconnections with other devices and peripherals.
The bill does have an opt-out clause where a vendor may apply for a waiver of declared known vulnerability providing that it can be shown that the equipment will still operate securely.
The contractor must also agree to repair or replace any equipment or software if a new security vulnerability is discovered.
Basically, under the terms of the bill, vendors who supply the US government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that cannot be changed, and are free of known security vulnerabilities, among other basic requirements.
“The internet of things landscape continues to expand, with most experts expecting tens of billions of devices operating on our networks within the next several years,” said Gardner. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks. This bipartisan, common-sense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space. As co-chairs of the Senate Cybersecurity Caucus, Senator Warner and I are committed to advancing our nation’s cyber-security defences and this marks an important step in that direction.”
The bill, drafted in consultation with technology and security experts from institutions such as the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, also promotes security research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers abiding by those policies.
“Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, or spill over to people who aren't the purchasers,” said Jonathan Zittrain, co-founder of Harvard University’s Berkman Klein Center for Internet & Society. “This bill deftly uses the power of the Federal procurement market, rather than direct regulation, to encourage internet-aware device makers to employ some basic security measures in their products. This will help everyone in the marketplace, including non-governmental purchasers and the vendors themselves, since they'll be encouraged together to take steps to secure their products.”