Most IT security professionals have come to expect that when it comes to new technologies any concerns about cybersecurity will be more or less an afterthought. And yet hope does somehow manage to spring eternal. A bipartisan bill has been introduced in the U.S. Senate this week that would require the Federal government to ensure that specific security measures are taken in any Internet of Things (IoT) project implemented by the U.S. government.
The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 sponsored by U.S. Senators Cory Gardner (R-CO) and Mark R. Warner (D-VA), co-chairs of the Senate Cybersecurity Caucus, and Sens. Ron Wyden (D-WA) and Steve Daines (R-MT) would require government agencies deploying an IoT solution to ensure devices are patchable, make use of industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities. Government agencies would also be required to create an inventory of all IoT devices employed an agency.
The proposed legislation also directs the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies that would be applied to government contractors, while at the same time tasking the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
Finally, the act also proposes to exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research that complies with vulnerability disclosure guidelines stipulated in the legislation.
Because so many organizations do business with the Federal Government the hope is that this legislation will create a new minimum threshold for IoT security that will wind up being adopted within private industry as well. It could also create a baseline that courts would employ to determine liability in cases where they would need to determine whether a minimum level of IoT security was put in place.
Given the Trump administration’s commitment to shoring up cybersecurity defenses across the Federal government the bill’s chances of becoming law appear to be high despite the daily internecine warfare between Republicans and Democrats. Politicians from both sides of the aisle intuitively now understand that devices connected to the Internet are going to be primary targets in any future conflict. At the very least, governments around the world have a vested interest in making sure the devices they deploy are not commandeered by cybercriminals to launch massive distributed denial of service (DDos) attacks against private industries.
Of course, it may still take a year or more for the bill to navigate its way through Congress before landing on the president’s desk. But then hundreds of thousands of IoT projects will have been deployed in the field. But at the very least IT security professionals now have something they can point to as a minimum level of IoT security that organizations need to achieve before connecting any device to the Internet. In fact, the way things are going these days in Washington it may very turn out that The Internet of Things Cybersecurity Act of 2017 could wind up being the most significant new piece of new legislation to be enacted any time soon.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.