Congress Considers IoT Cybersecurity Legislation - AgainThird Attempt at Setting Minimum Standards for Devices Government Uses
Backers in the U.S. Congress are hoping that the third time is the charm for an internet of things cybersecurity bill that would set minimum security standards for the connected devices that the federal government purchases for various projects.
The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 was introduced in the Senate on March 11 by a bipartisan group that includes Mark Warner, D-Va., and Cory Gardner, R-Colo, who are the co-chairs of the Senate Cybersecurity Caucus, along with Maggie Hassan, D-N.H. and Steve Daines, R-Mont.
A similar bill sponsored by Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas, has been introduced in the House.
The latest effort to pass the legislation comes at a time when a flood of IoT devices are entering the market, with Gartner estimating that more than 20 billion internet-connected devices will be online by the end of 2020.
Over the last two years, two bills, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 and the Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018 both failed to pass.
Right now, there's no set of U.S. national security standards for IoT devices, so any security features and protections are left to the discretion of the individual manufacturers or vendors.
But the California legislature passed a new law in 2018 - SB 327 - which requires some specific protections for consumers and creates rules for how IoT devices are built, including how passwords are used and changed.
A Lengthy Debate
Congress has been debating the merits of better IoT protection and security for years. In 2016, the House held hearings on the issue in the wake of a massive distributed denial-of-service attack that targeted Dyn, a service provider, and crippled numerous websites, including Netflix and Twitter.
Around the time those 2016 hearings took place, Warner and other elected officials raised concerns with the Federal Trade Commission that toys built with IoT sensors were collecting data and other information on children.
More recently, the FBI stopped a large-scale advanced persistent threat operation, using malware known as VPNFilter, that targeted home routers and other devices. U.S. authorities believe that a Russian-backed group planned to use these internet-connected devices as a botnet that could attack power plants and other critical infrastructure.
In a statement, Warner quoted Lt. General Robert Ashley, the director of the Defense Intelligence Agency, who described the lack of security around IoT devices last year as one of the two "most important emerging cyber threats to our national security."
New IoT Requirements
The newly proposed bills would tighten up some of the security around the IoT devices the federal government buys. By design, these cybersecurity rules would be "light-touch, minimum security requirements" for these devices, according to the bills. The proposed legislation also would require that:
- The National Institute of Standards and Technology issue recommendations that would address minimum secure development, identity management, patching and configuration management for IoT devices;
- The U.S. Office of Management and Budget issue guidelines for each federal agency that are consistent with the recommendations that NIST makes;
- NIST work with security researchers, as well as industry experts, to develop and then publish guidelines for coordinating vulnerability disclosures to various agencies that are using IoT devices;
- Outside contractors and vendors providing devices to the federal government adopt IoT vulnerability disclosure policies.
A Broader Impact?
Warner said the proposed legislation would use the purchasing power of the government to force IoT vendors to adopt security standards so that these safety features would make their way into a variety of different devices, including those used by businesses and consumers.
"The internet of things landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years," Gardner, one of the co-sponsors, said in a statement. "As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government's networks."
The proposed IoT cybersecurity legislation is drawing mixed reviews from security experts.
Tom McAndrew, CEO of Coalfire, which provides cybersecurity consulting, says that by using its purchasing power, the federal government can dictate new security standards up and down the IoT supply chain inside and outside the government.
"Consumers need the government to lead in security and privacy, and this Act is an important step in that direction," McAndrew says. "U.S. leadership in developing secure IoT products can help set an example and path for safer development both domestically and internationally."
But Nathan Wenzler, the senior director of cybersecurity at Moss Adams, a Seattle-based accounting, consulting and wealth management firm, says the legislation in its current form doesn't go far enough in forcing manufacturers to improve the security of IoT devices.
"While this seems like a step in the right direction, this legislation merely directs guidance to be developed and calls for a review every five years," Wenzler says. "Granted, forming guidelines is a great first step, but I don't see how this will have any immediate impact in how manufacturers are going to build better security controls into their IoT devices. Manufacturers are already increasing the security of their devices due to customer demand and public perception. So this bill does little, in my opinion, to accelerate those efforts."