The number of internet connected devices is projected to reach 20 billion by 2020 and this has IT personnel and US lawmakers concerned. As more devices – like webcams, smart home devices, thermostats, etc. – get internet connected there are concerns about security. As we have seen in the recent bot-net attacks that took down Twitter and Netflix, more of these concerns are brought to light and US lawmakers are finally taking notice.
A bipartisan group of US Senators is introducing legislation that would require vendors that provide internet-connected devices and equipment to the US government to ensure their products are patchable, and conform to industry security standards. This new bill would also prevent vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. On August 1st, Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-OR), and Steve Daines (R-MT) have introduced legislation to “improve the cybersecurity of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require that devices purchased by the US Government meet certain minimum security requirements.
“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place.”
According to Senator Warner’s website – the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:
- Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
- Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
- Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing internet connected devices to the US Government.
- Exempt cyber security researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright ACt when engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
- Require each executive agency to inventory all internet-connected devices in use by the agency.
While these rules only apply to federal governmental equipment, it’s a good start. This is especially important as many producers of technology hardware are from other countries. Lenovo for example, is a China-based corporation that supplies hardware internationally and had security concerns around the 2015 Superfish incident that allowed 3rd parties to intercept HTTPS secured communications. The ramifications of an IoT vulnerability compromising the US Government could potentially impact the entire nation, and subsequently, the entire global economy.