Members of Congress recently introduced a bipartisan proposal to enhance cybersecurity for the network of Internet-connected devices, commonly known as the Internet of things (IoT).
Senators Mark Warner (D-VA) and Cory Gardner (R-CO) and Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) introduced the IoT Cybersecurity Improvement Act of 2019 and hope to establish baseline cybersecurity standards for IoT devices. Senators Maggie Hassan (D-NH) and Steve Daines (R-MT) co-sponsored the Senate bill, and there are twelve other co-sponsors in the House of Representatives.
Growth in the IoT device market has exploded, and some stakeholders have expressed concern that the industry has prioritized time-to-market over adopting meaningful cybersecurity protections. The new bill would require minimum security standards for any devices integrated into government networks. The sponsors say they hope clear federal standards encourage the industry to adopt better security standards and integrate security into the design process.
The IoT Cybersecurity Act would also impose limits on the types of IoT devices the U.S. government could purchase. The bill would:
- Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices;
- Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and require OMB to review the policies at least every five years;
- Prohibit the federal government from purchasing any Internet-connected devices that do not to comply with those recommendations;
- Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities are addressed; and
- Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that information is disseminated when a vulnerability is uncovered.
In addition to the earlier versions of this bill introduced in the 115th Congress, Senator Warner wrote multiple letters to the Federal Trade Commission, Federal Communications Commission, and Department of Homeland Security in 2016 and 2017 raising concerns about “smart toys,” ransomware, and the risks that IoT devices were likely to pose. In a May 2018 report, the Departments of Commerce and Homeland Security recommended that the Federal government should “lead by example” and require the IoT products it purchases to be more secure and resilient.
Senator Warner said “the legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.” Representative Hurd said “this bipartisan legislation will make [IoT] devices more secure and help prevent future attacks on critical technology infrastructure.” The other co-sponsors echoed the importance of ensuring the safety of information and infrastructure as the IoT landscape expands.
Several industry leaders and civil society organizations have expressed support for the IoT Cybersecurity Act. For example, Symantec, Mozilla, and CTIA applauded the bill for setting up a coordinated approach for helping secure IoT devices and the sensitive data they hold.
Separately, CTIA announced that the trade association’s IoT Cybersecurity Certification program had certified its first device: the HARMAN Spark, an aftermarket connected car device offered by AT&T. According to CTIA, the IoT Cybersecurity Certification Program helps device suppliers, enterprises, and government organizations ensure that cellular-connected devices have appropriate security capabilities. The CTIA certification verifies devices’ security features against a set of best practices on everything from the storage of consumers’ information and password and security management, to “standards and the availability of an over-the-air mechanism for security software.”
The introduction of the IoT Cybersecurity Act—and parallel industry efforts to boost IoT security— represent two of the most recent efforts to anticipate and prevent IoT cybersecurity risks. They won’t be the last.