The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 (S.1691) would require the U.S. government to purchase IoT devices that meet proscribed minimum security requirements.
In particular, device vendors seeking government business would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities. The bill would also:
- Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
- Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
- Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines, and
- Require each executive agency to inventory all Internet-connected devices in use by the agency.
The bill was drafted in consultation with cybersecurity experts from various institutions and was prompted in part by two high profile cyberattacks launched with the help of IoT-enabled devices (i.e. security cameras and Internet routers) that were remotely hacked. One was the 16 September denial of service attack targeted against KrebsOnSecurity.com which was distributed over hundreds of thousands of hacked systems. That was followed in 16 October by a massive attack that utilized hacked web cameras and DVRs to disrupt an Internet infrastructure company that provides technical services to a number of major online services, including Twitter, Amazon, Tumbler and Netflix.
According to Sen. Warner. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
Sen. Gardner added: “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks. This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space.”
The bill garnered endorsements from several technology-oriented groups including the Center for Democracy & Technology (CDT), Mozilla, and the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society.
Some tech observers expressed concerns, however, that the bill doesn’t go far enough to ensure full security and doesn’t address IoTs vulnerabilities that may arise due to human factors. Requiring devices to be patchable doesn’t guarantee that the patches are actually kept updated. And the elimination of hard-coded passwords doesn’t ensure that users will regularly update their passwords, or that system administrators won’t use the same password across multiple sites or devices.
Despite those concerns, security experts generally praised the bill as a much needed minimum set of security controls for IoT devices. The bill was referred to the Senate Committee on Homeland Security and Government Affairs, where committee member and bill co-sponsor Sen. Steve Daines (R-Mont.) is expected to push for prompt consideration. One of the few engineers serving in Congress, Daines holds a degree in chemical engineering, and prior to election to Congress, was the VP of RightNow Technologies, a Bozeman-based cloud computing start-up company later acquired by Oracle.