A Senate bill introduced on Aug. 1 not only would establish security requirements for Internet of Things (IoT) devices purchased by the government, but also let researchers look for critical security flaws through vulnerability disclosure policies.
“While I’m tremendously excited about the innovation and productivity that Internet of Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Sen. Mark Warner, D-Va. “This legislation would establish thorough, yet flexible, guidelines for Federal government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
Sens. Cory Gardner, R-Colo., Ron Wyden, D-Ore., and Steve Daines, R-Mont., were co-sponsors of the bill.
“This bill is a bipartisan, common-sense step in the right direction,” Wyden said. “This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company. Enacting this bill would also help stop botnets that take advantage of Internet-connected devices that are currently ludicrously easy prey for criminals.”
Experts behind the Hack the Pentagon program told MeriTalk that vulnerability disclosure programs are incredibly helpful in protecting the government’s vast IP space and can improve the relationships between security researchers and Federal agencies.
The bill, titled the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, would require vendors to ensure that their devices are patchable, abide by industry best practices, do not use hardwired passwords, and are free of known vulnerabilities. It also directs the Office of Management and Budget to issue security requirements for IoT devices and the DoD to issue guidance on vulnerability disclosures. Security researchers acting in good faith to discover weaknesses in devices would therefore be exempt from liability under the Computer Fraud and Abuse Act. Finally, the bill would require agencies to inventory all Internet-connected devices in use.
“The bill introduced by Senator Warner and his colleagues specifically targets the critical insecurity of IOT and OT devices on government networks,” said Katherine Gronberg, vice president of Government Affairs at ForeScout Technologies. “The problem of shadow IT–devices that agencies don’t know about–is it causes a major gap in departments’ and agencies’ ability to manage cyber risk.”
“Bold action is needed,” she said. “Initial phases of programs like CDM have shown that agencies don’t have complete domain awareness–that is, real-time knowledge of what’s on their networks and continuous classification of those assets. This bill puts requirements around how devices are sold to the government and whether they meet certain criteria. Safer devices will help the problem, but in parallel, agencies need to deploy key tool sets as quickly as possible under Continuous Diagnostics and Mitigation (CDM) and Comply to Connect (C2C) to help them detect and remediate problem devices.”
Gardner, a bill co-sponsor, said, “The Internet of Things landscape continues to expand, with most experts expecting tens of billions of devices operating on our networks within the next several years. As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyberattacks. This bipartisan, common-sense legislation will ensure the Federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space.”
According to Warner’s press release, the bill was drafted in consultation with members of industry, such as the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, and has received many industry endorsements.
“We urgently need to start securing the Internet of Things, and starting with the government’s own devices is an important first step,” said Michelle Richardson, deputy director of the Freedom, Security and Technology Project at the Center for Democracy & Technology. “This legislation will push government devices to meet modern security standards, and ensure that researchers who act in good faith can independently verify the security of those devices. We hope that Congress will consider this proposal soon, and look forward to a discussion about the security of government systems, where the market for Internet of Things devices is headed, and how independent research can contribute.”
Doug Kramer, general counsel for Cloudflare, added, “The worldwide Internet outages caused last year by devices infected with the Mirai malware highlighted the need for more robust discussions about securing IoT devices. This bill should open an important dialogue on those issues.”