On August 1, 2017, a bipartisan group of senators introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 that would require IoT devices purchased by the U.S. government to meet certain minimum security requirements.
Under the terms of the bill, which can be found here, vendors who supply the U.S. government with “Internet-Connected Devices” would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other requirements. “Internet-Connected Devices” are defined broadly under the proposed law to include “a physical object that is capable of connecting to and is in regular connection with the Internet” or one that “has computer processing capabilities that can collect, send or receive data.” In other words, “Internet-Connected Devices” is defined very broadly and applies to any device that has an internet connection and can transmit data.
Specifically regarding the proposed requirements, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:
- Require that vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, not use hard-coded passwords, and not contain any known security vulnerabilities;
- Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality;
- Direct the Department of Homeland to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government;
- Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines;
- Require each executive agency to inventory all Internet-connected devices in use by the agency.
Key components of the proposed legislation come in response to a number of high profile IoT attacks within the past year. In October 2016, the Mirai botnet attack drew widespread attention after it disrupted some of the internet’s most trafficked website. The Mirai botnet attacks were DDos-style (denial-of-service) campaigns that targeted IoT devices such as home routers and closed-caption TVs (CCTVs) secured only through factory-default passwords, which were therefore readily accessible to hackers. The Mirai attacks showed how easily threat actors could assemble massive attack botnets from vulnerable IoT devices and use them to launch DDoS attacks and other malicious campaigns.
Even though the legislation would apply only to IoT products purchased by the federal government, the proposed legislation, if enacted, would likely influence IoT vendors operating in the consumer context. Such requirements signal an emerging set of baseline best practices that are beginning to resemble the outlines of a standard of care that all IoT developers and manufacturers should look to follow. Indeed, the bill’s requirements are consistent with emerging best practices that have been endorsed by regulators such as the FTC and DHS.
Ultimately, the proposed legislation signals the importance of legal, compliance, and product teams acting closely together when developing IoT products to ensure that these emerging best practices are incorporated into devices.
Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-OR) and Steve Daines (R-MT), introduced the legislation.