US government considers IoT security legislation
March 21, 2019
Bipartisan legislation to improve the cyber security of internet-connected devices was introduced this month in the US Senate and the House of Representatives. The IoT Cybersecurity Improvement Act would require that devices purchased by the US government meet certain minimum security requirements.
The legislation is being introduced in the Senate by senators Mark Warner and Cory Gardner, co-chairs of the Senate Cybersecurity Caucus, along with senators Maggie Hassan and Steve Daines, while representatives Robin Kelly and Will Hurd are introducing companion legislation in the House of Representatives.
“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritising convenience and price over security,” said Democrat Warner, a former technology entrepreneur and executive and vice chairman of the Senate Select Committee on Intelligence. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
Republican Gardner added: “The IoT landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years. As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (Nist), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts. As co-chairs of the Senate Cybersecurity Caucus, senator Warner and I remain committed to advancing our nation’s cyber-security defences.”
And Democrat Kelly said: “As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure. Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices. It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionise communication, we cannot allow them to become a backdoor to hackers or tools for cyber attacks.”
IoT devices will improve and enhance nearly every aspect of our society, economy and our day-to-day lives, according to Republican Hurd, former computer science major, cyber-security entrepreneur and chair of the House Subcommittee on Information Technology.
“This is ground-breaking work and IoT devices must be built with security in mind, not as an afterthought,” he said. “This bipartisan legislation will make IoT devices more secure and help prevent future attacks on critical technology infrastructure.”
Democrat Hassan added: “With everything from LED lights to thermostats connected to the internet, we need to act swiftly to step up security for IoT devices to prevent hackers from disrupting our economy and threatening public safety. By requiring the federal government to only purchase devices that meet certain cyber-security standards, this bill will help protect federal agencies against hackers who are seeking to exploit IoT devices in order to steal critical national security information and the private data of Granite Staters and Americans.”
And Montana Republican Daines said: “As the IoT landscape grows, we must ensure that Montanan’s information is safe and the security of our critical infrastructure is protected. This bill helps establish proper safeguards that balance the need to protect Montanan’s privacy and our national security with the growing tech economy and high-paying jobs it provides.”
While IoT devices and the data they collect and transmit present enormous benefits to consumers and industry, the relative insecurity of many devices presents enormous challenges. Sometimes shipped with factory-set, hardcoded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. IoT devices have been used by bad actors to launch distributed denial of service (DDoS) attacks against web sites, web-hosting servers and internet infrastructure providers.
At a hearing of the Senate Armed Services Committee last year, the director of the Defense Intelligence Agency, Robert Ashley, described exploitation of insecure IoT devices as one of the two “most important emerging cyber threats to our national security”. Last May, the Departments of Commerce & Homeland Security published a report highlighting the IoT market forces that reward low-price and convenience at the expense of security. The signature recommendation of the May 2018 report was that the federal government should “lead by example” by requiring the acquisition of more secure and resilient products and services, particularly IoT.
The IoT Cybersecurity Improvement Act will address both this market failure and the supply chain risk to the federal government stemming from insecure IoT devices by establishing light-touch, minimum security requirements for procurements of connected devices by the government.
Specifically, the act would:
- Require Nist to issue recommendations addressing, at a minimum, secure development, identity management, patching and configuration management for IoT devices.
- Direct the Office of Management & Budget (OMB) to issue guidelines for each agency that are consistent with the Nist recommendations, and charge OMB with reviewing these policies at least every five years.
- Require any internet-connected devices purchased by the federal government to comply with those recommendations.
- Direct Nist to work with cyber-security researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
- Require contractors and vendors providing IoT devices to the US government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
Jonathan Zittrain, co-founder of Harvard University’s Berkman Klein Center for Internet & Society, said: “Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, and spill over to people who aren't the purchasers. This bill leverages the government procurement market, rather than direct regulation, to encourage internet-aware device makers to employ basic security measures in their products.”
The bill is also supported by Rapid7. Similar legislation was previously introduced in the 115th Congress.
Warner wrote to the Federal Trade Commission (FTC) in July 2016 raising concerns about the security of children’s data collected by internet-connected smart toys. In May 2017, the senator wrote a follow-up letter to acting FTC chairwoman Maureen Ohlhausen reiterating his concerns following comments by the chairwoman that the risks of IoT devices are merely speculative. In response to the senator’s concerns, the FTC issued updated guidance on protecting children’s personal data in connected toys.
Immediately in the wake of October’s DDoS attack on the internet infrastructure by the Mirai botnet, Warner wrote to the FCC, FTC and NCCIC to raise concerns about the proliferation of botnets composed of insecure devices. Warner also wrote to OMB director Mick Mulvaney and secretary of homeland security John Kelly in May 2017 asking what steps the federal government had taken to defend against WannaCry ransomware.
Warner, the vice chairman of the Senate select committee on intelligence and former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus and a specialist in congress on security issues related to the IoT.