U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-WA) and Steve Daines (R-MT) on Tuesday introduced bipartisan legislation to improve the cybersecurity of Internet-connected devices.

The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require that devices purchased by the U.S. government meet certain minimum security requirements.

Under the terms of the bill, vendors who supply the U.S. government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements.

The bill, drafted in consultation with technology and security experts from institutions such as the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, also promotes security research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers abiding by those policies.

The Internet-of-Things, the term used to describe the growing network of Internet-connected devices and sensors, is expected to include over 20 billion devices by 2020. While these devices and the data they collect and transmit present enormous benefits to consumers and industry, the relative insecurity of many devices presents enormous challenges.

Sometimes shipped with factory-set, hardcoded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. Over the past year, IoT devices have been used by bad actors to launch devastating Distributed Denial of Service (DDoS) attacks against particular websites, web-hosting servers, and internet infrastructure providers.

“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Sen. Warner.

“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”

“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices operating on our networks within the next several years,” said Sen. Gardner.

“As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks. This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space.” 

“I’ve long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act. This bill is a bipartisan, common-sense step in the right direction. This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company. Enacting this bill would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals,” Sen. Wyden said.

“Information is a form of currency,” Sen. Daines stated. “We need to have to proper safeguards in place to ensure that our information is protected while still encouraging innovation.”

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:

  • Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
  • Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
  • Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
  • Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
  • Require each executive agency to inventory all Internet-connected devices in use by the agency.

“The proliferation of insecure Internet-connected devices presents an enormous security challenge,” said Bruce Schneier, Fellow and Lecturer at Harvard Kennedy School of Government. “The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests.”