The U.S. Government is getting serious about Internet of Things (IoT) security. On August 1, a bi-partisan group of U.S. Senators including Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Senator Ron Wyden (D-WA) and Steve Daines (R-MT), introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017.
The IoT Cybersecurity Improvement Act is focused on helping to make sure that devices purchased and used by the U.S. government meet a set of security requirements.
“This bipartisan, common-sense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space,” Senator Gardner said in a statement.
Among the common-sense security requirements outlined in the IoT Cybersecurity Improvement Act is that vendors have to make sure that the devices they sell the U.S. Government can be patched for security flaws. Additionally the Act requires that IoT vendors not include hard-coded passwords on devices that cannot be changed. The IoT Cybersecurity Improvement Act also directs vendors to ensure that devices to not include any known vulnerabilities and that devices use industry standard protocols for connectivity and encryption.
“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” Senator Warner, said in a statement. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices.”
Looking beyond just establishing baselines for IoT device security requirements, the proposed Act also aims to make it easier for security researchers to find and disclose vulnerabilities in IoT devices. The Computer Fraud and Abuse Act (CFAA) as well as the Digital Millennium Copyright Act have been seen by security professionals as a limiting factor for researchers looking at IoT security. Those two Acts have provisions that could have potentially landed a security researcher in legal trouble for analyzing the security of IoT devices.
Under the proposed IoT Cybersecurity Improvement Act, security researchers will be able to investigate and responsibility disclose IoT security vulnerabilities without being at legal risk of violating the CFAA or DMCA.
“This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company,” Senator Wyden said in a statement. “Enacting this bill would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals.”
The Mirai IoT botnet attacked users in the U.S in October 2016, taking advantage of insecure IoT devices to launch a Distributed Denial of Service (DDoS) attack against internet infrastructure.
While the IoT Cybersecurity Improvement Act is an effort that will impact devices acquired by the U.S. federal government, there are a lot of IoT devices that are intended just for consumers. The U.S. Federal Trade Commission (FTC) which acts as a consumer protection agency, is also looking at IoT issues.
At the Black Hat USA security conference on July 26, FTC Commissioner Terrell McSweeny outlined several steps her agency is already taking to help protect consumers of IoT devices. Sweeny’s Black Hat talk was specifically about how vendors can market devices and make accurate claims about funcationality. Sweeny wants manufacturers to disclose a minimum security support period for devices so that consumers can have a reasonable expectation of how long a device is intended to work.
Additionally Sweeny has concerns about what happens when IoT devices fail. For example, she noted that if a connected IoT toaster only has support for a couple of years, consumers should know if they will still be able to toast their bagels once support expires.
“One of the things that keeps me up at night is patchwork IoT security and insecure devices,” McSweeny said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.