Bill Would Beef Up Security for IoT Wares Sold to US Gov'tLegislation Could Spur Improvements to Devices Sold to Businesses, Consumers, Too
Vendors that provide the U.S. government with internet-connected devices - so-called internet of things - would need to ensure they can be patched, don't include hard-coded passwords that can't be changed and are free of known security vulnerabilities, according to bipartisan legislation introduced in the Senate on Tuesday.
Known as the Internet of Things Cybersecurity Act of 2017, the bill would promote security research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and furnishing legal protections to security researchers abiding by those policies.
The legislation, if enacted, would apply only to the U.S. federal government. But because the federal government is such a big customer of internet wares, the safety features required by the legislation would likely be incorporated into IoT products bought by businesses and consumers, too.
Federal Procurement Power
"This bill deftly uses the power of the federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products," Jonathan Zittrain, co-founder of Harvard University's Berkman Klein Center for Internet and Society, said in a statement announcing the bill's introduction.
Security technologist and author Bruce Schneier, also in a statement, sees the legislation as a way to motivate vendors to make the investments needed to secure their IoT offerings. "The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests," says Schneier, who also is a Harvard Kennedy School of Government fellow and lecturer.
If enacted, the legislation would require vendors to disclose known vulnerabilities to agencies with explanations why the devices could be considered secure notwithstanding the flaws. The vendor would be required to describe compensating controls employed to limit the exploitability and impact of the vulnerabilities. The devices also must rely on standard protocols.
According to the its sponsors, the legislation would:
- Direct the Office of Management and Budget to develop alternative network-level security requirements for devices with limited data processing and software functionality;
- Instruct the Department of Homeland Security's National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. government;
- Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines; and
- Require each executive agency to inventory all internet-connected devices in use by the agency.
Forecast: 20 Billion IoT Devices by 2020
In a fact sheet that accompanied the legislation, the number of IoT devices are expected to exceed 20 billion units by 2020. "IoT devices can represent a weak point in a network's security, leaving the rest of the network vulnerable to attack," the fact sheet says.
Bill sponsor Sen. Mark Warner, D-Va., says too many IoT devices are being sold without appropriate safeguards and protections in place despite the innovation and productivity they unleash. "This legislation would establish thorough, yet flexible, guidelines for federal government procurements of connected devices," Warner says in a statement. "My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products."
Another of the bill's sponsors, Sen. Ron Wyden, D-Ore., points out the measure would let researchers look for critical vulnerabilities in devices purchased by the government "without fear of prosecution or being dragged to court by an irritated company."
Bill Seen as Mirai Offspring
The legislation was written, in part, as a reaction to last year's Mirai distributed denial of service attack that exploited IoT devices that resulted in the inaccessibility of several high-profile websites (see Mirai Botnet Pummels Internet DNS in Unprecedented Attack). "The worldwide internet outages caused last year by devices infected with the Mirai malware highlighted the need for more robust discussions about securing IoT devices," says Doug Kramer, general counsel of IT security provider Cloudflare.
Joining Warner and Wyden in sponsoring the bill are two Republican senators, Cory Gardner of Colorado, who co-chairs the Senate Cybersecurity Caucus with Warner, and Steve Daines of Montana.