The growing network of Internet-connected devices and sensors (the Internet of Things) is projected to expand to over 20 billion devices by 2020. The use cases for IoT devices and the data they collect has staggering benefits. However, the security risks that connected devices create is equally staggering. As I wrote in another article on IoT security, IoT devices are often shipped with factory-set, hard-coded passwords and may not be able to be updated or patched. The result is a security risk that leaves the whole network vulnerable to a cyberattack.
Four members of the U.S. Senate developed a new bill titled, “Internet of Things Cybersecurity Improvement Act of 2017” which, according to the publicly available document, objective is described as, “to provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes.” The four members who sponsored the bill include senators Cory Gardner (R-CO), Steven Daines (R-MT), Mark Warner (D-VA) and Ron Wyden (D-OR).
In summary, the legislation would prohibit the use of hard-coded passwords and require that products be free from any known security violations. In addition, the Bill puts forth a set of standards required for vendors providing IoT solutions to Government agencies. If passed, industry experts believe that these standards could be adopted by non-governmental organizations.
You can read the entire “Internet of Things Cyber-security Improvement Act of 2017” here.
Some of the additional highlights include:
- A vendor of interconnected devices is required to provide written certification that the device does not have any known security vulnerabilities listed in the National Vulnerability Database of NIST;
- The device uses software or firmware capable of accepting properly authenticated and trusted updates from the vendor
- The device does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication, and therefore are patchable.
- Requires devices to rely on industry standard protocols.
- Requests specific U.S. government agencies to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
According to Senator Warner,
“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Sen. Warner. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
The goal of the legislation is for IoT devices, initially for those used by the government, to meet modern security standards. Security is a growing concern as more devices become connected. This legislation, should it pass, may help bring greater pressure on implementing modern security standards across all industries besides just government.
What do you think? Is this Bill a right step in the right direction or not? Love to hear your opinion! Post it below in the comments.