Senators introduce bill to improve federal IoT security

A bill has been introduced in the Senate with the intent of improving the cybersecurity of Internet-connected devices.

The Internet of Things Cybersecurity Improvement Act of 2017 calls for devices bought by the government to meet specified minimum security requirements. It also calls for vendors who supply the government with IoT devices to ensure their devices are patchable, do not include hard-coded passwords that cannot be changed and come without known security vulnerabilities.

Capitol Hill-flag
The east front of the Capitol building stands in Washington, D.C., U.S., on Monday, Jan. 3, 2011. President Barack Obama and Democrats are preparing to confront a strengthened Republican opposition to tax, spending and immigration priorities when the 112th session of Congress convenes this week after Democrats lost control of the House during midterm elections. Photographer: Andrew Harrer/Bloomberg

The legislation encourages security research by supporting the adoption of coordinated vulnerability disclosure policies by federal contractors and giving legal protections to security researchers who follow those policies.

Also See: Why IoT security is everyone’s responsibility

The bipartisan bill was introduced by Senators Mark R. Warner, (D-Va.) and Cory Gardner, (R-Colo.), co-chairs of the Senate Cybersecurity Caucus, along with senators Ron Wyden (D-Wash.) and Steve Daines (R-Mont.). The lawmakers discussed the legislation with technology and security experts before drafting the bill.

The bill has endorsements from the Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Mozilla, Cloudflare, Neustar, the Niskanen Center, Symantec, TechFreedom and VMware.

More than 20 billion IoT devices worldwide are expected to be in place by 2020. While there are benefits to IoT, the connected technology also comes with risks because IoT devices can serve as a weak point in a network’s security because they are sometimes shipped with factory-set, hardcoded passwords and are often unable to be updated, thus leaving the rest of the network vulnerable to attack.

For reprint and licensing requests for this article, click here.