Legislators have introduced the Internet of Things Cybersecurity Improvement Act of 2017 with the goal of improving the cybersecurity of Internet-connected devices.
The bill calls for devices bought by the government to meet specified minimum security requirements. It also calls for vendors who supply the government with IoT devices to ensure their devices are patchable, do not include hard-coded passwords that cannot be changed, and come without known security vulnerabilities.
The legislation encourages security research by supporting the adoption of coordinated vulnerability disclosure policies by federal contractors and giving legal protections to security researchers who follow those policies.
The bipartisan bill was introduced by Senators Mark R. Warner, D-Virginia, and Cory Gardner, R-Colorado, co-chairs of the Senate Cybersecurity Caucus, along with Senators Ron Wyden, D-Washington, and Steve Daines, R-Montana. The lawmakers discussed the legislation with technology and security experts before drafting the bill.
The bill has endorsements from the Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Mozilla, Cloudflare, Neustar, the Niskanen Center, Symantec, TechFreedom, and VMware.
More than 20 billion devices worldwide are expected to contain some form of IoT by 2020. While there are benefits to IoT, it also comes with risks because the devices can serve as a weak point in a network’s security because they are sometimes shipped with factory-set, hardcoded passwords and are often unable to be updated, thus leaving the rest of the network vulnerable to attack.
