Senators propose bill to boost IoT cybersecurity
With the goal of improving the cybersecurity of Internet-connected devices, legislators have introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017.
The bill calls for devices purchased by the government to meet specified minimum security requirements. Senators Mark R. Warner, D-Virginia, and Cory Gardner, R-Colorado, co-chairs of the Senate Cybersecurity Caucus, along with Senators Ron Wyden, D-Washington, and Steve Daines, R-Montana, introduced the bipartisan legislation on Tuesday.
The bill calls for vendors who supply the government with IoT devices to ensure their devices are patchable, do not include hard-coded passwords that can’t be changed and are free of known security vulnerabilities.
The lawmakers consulted with technology and security experts before drafting the bill.
The legislation promotes security research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and giving legal protections to security researchers who adhere to those policies.
IoT expected to include more than 20 billion devices by 2020. It comes with benefits and dangers as IoT devices can represent a weak point in a network’s security.
The devices and the data they collect and transmit offer big benefits to consumers and industry. However, the relative insecurity of many devices come with enormous challenges, the legislators point out.
Sometimes shipped with factory-set, hardcoded passwords and often unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack.
Over the past year, IoT devices have been used to launch Distributed Denial of Service attacks against websites, web-hosting servers, and internet infrastructure providers.
The bill has endorsements from the Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Mozilla, Cloudflare, Neustar, the Niskanen Center, Symantec, TechFreedom, and VMware.