IoT device security bill mandates security standards

A piece of bipartisan legislation introduced this week would require vendors that sell to the U.S. government to meet certain IoT device security requirements.

The "Internet of Things (IoT) Cybersecurity Improvement Act of 2017" was introduced by U.S. Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) who co-chair the Senate Cybersecurity Caucus, as well as Sens. Ron Wyden (D-Ore.) and Steve Daines (R-Mont.). The bill aims to improve IoT device security for products used in the government.

"Under the terms of the bill, vendors who supply the U.S. government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can't be changed, and are free of known security vulnerabilities, among other basic requirements," explained a statement from Senator Warner's office announcing the act.

The senators collaborated with experts from the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University to craft the IoT device security bill. It also encourages security researchers to help find IoT device security vulnerabilities by adopting "coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers" who engage in "good-faith research" and exempt them "from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in (sic) engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines."

"I've long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act," said Senator Wyden in the statement. "This bill is a bipartisan, common-sense step in the right direction. This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company. Enacting this bill would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals."

The IoT device security bill would require vendors to develop patchable devices that "rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities."

The bill also specifies that the Office of Management and Budget must develop other "network-level security requirements for devices with limited data processing and software functionality."

Vendors such as Mozilla, Cloudflare, Neustar, Symantec and VMware have already endorsed the bill, and some security experts have spoken out about it as well, including security expert Bruce Schneier. In the statement from Senator Warner's office, Schneier said, "The proliferation of insecure Internet-connected devices presents an enormous security challenge. The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests." He added that he applauds Senator Warren and the others for "nudging the market in the right direction" with the IoT device security bill, as well as recognizing the "critical role played by security researchers."