US senators introduce bill to improve IoT security, protect researchers probing it

US Senators Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA) and Steve Daines (R-MT) introduced bipartisan legislation to improve the cybersecurity of Internet-connected devices.

The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require that devices purchased by the US government meet certain minimum security requirements.

Specifically, the bill would:

• Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
• Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
• Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the US Government.
• Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
• Require each executive agency to inventory all Internet-connected devices in use by the agency.

The bill, drafted in consultation with technology and security experts from institutions such as the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, also promotes security research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers abiding by those policies.

“I’ve long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act. This bill is a bipartisan, common-sense step in the right direction. This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company. Enacting this bill would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals,” Senator Wyden said.

“The proliferation of insecure Internet-connected devices presents an enormous security challenge,” said Bruce Schneier, Fellow and Lecturer at Harvard Kennedy School of Government. “The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his cosponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government. Additionally, I appreciate Senator Warner’s recognition of the critical role played by security researchers and the exemptions included in this legislation for good-faith security research.”

“The proposed IoT legislation introduced to the US Senate last night is a positive step towards ensuring much-needed security for connected devices,” noted Mark Noctor, VP EMEA at Arxan Technologies.

“We hope the new bill will serve as an example to other governments around the world to secure their own markets. While there has been useful work in the area from bodies such as ENISA, it appears that an act of law is the best way to get vendors to ensure security.”

“While the focus on basic measures such as password management is a good starting point, we’d also like to see future legislation build on this to require more advanced security measures, such as using code hardening to protect a connected device’s software from being broken into and reverse engineered for malicious purposes,” he added.