Skip to main content

Bipartisan Group Proposes IoT Cybersecurity Improvement Act

U.S. Senators Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA), and Steve Daines (R-MT) have introduced the Internet of Things Cybersecurity Improvement Act of 2017, a new bill that seeks to ensure that IoT devices sold to the U.S. government meet security requirements.

Companies have been quick to graft internet connections onto everything from refrigerators and stuffed animals to security cameras and thermostats, but when it comes to securing those devices, progress has been halting at best. Compromised IoT products have powered attacks that took down some of the world's largest websites, endangered the privacy of children, and potentially threatened national security.

This is a known problem, yet companies seem to be making the same mistakes over and over again. Consider IoT cameras: Vulnerabilities were discovered in Edimax cameras in November 2016, D-Link cameras in January, and Shenzhen Neo Electronics cameras just last month. Three different manufacturers working in the same IoT device category have failed to make sure their security cameras are, well, secure.

The same story has repeated itself across IoT device categories. The Internet of Things Cybersecurity Improvement Act of 2017 is supposed to change that...for the federal government. The bill doesn't focus on consumer devices--instead, it's targeted squarely at manufacturers who want to sell IoT products to government agencies. Sen. Warner explained the bill's purpose in a press release about its introduction:

“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Sen. Warner. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements [sic] of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”

It's disappointing that this bill won't extend to consumer products, but the Senators are unlikely to stop there. Warner asked three agencies--the FTC, FCC, and DHS--to investigate IoT security in October 2016. At the time, he said he wanted "a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers."

Warner has also expressed concerns about how the insecurity of IoT devices affects consumers. We suspect the Internet of Things Cybersecurity Improvement Act of 2017's focus on the federal government is a starting point, not the ultimate goal, for the Senators' push to secure the IoT. Even if it doesn't, the ramifications of insecure devices within the government could be worse than the dangers posed by consumer devices.

Representatives from Cloudflare, Mozilla, and other security companies and rights groups have all endorsed this bill. You can learn more about its requirements via this fact sheet; the full bill can be found here. The bill will now have to make its way through the bureaucratic process.

  • boosted1g
    So in a nutshell the consumer devices will be just as insecure as they currently are and government funded entities/contracts will have to buy the compliant model that the IOT company put a 4-8x markup on.
    Reply
  • Dragon4570
    This is merely step one in the process. If they can get it through then it opens the door to regulation of IoT devices being sold in the U.S. to everyone. I would love to see them make it mandatory that they be set up with passwords that have to be changed immediately after installation at the very least. Too many people just leave it at the default password and proceed about their business thinking they are just fine.
    Reply
  • shrapnel_indie
    Maybe I'm skeptical... but "step one" could be the only direction it goes, skipping regular consumers altogether. It wouldn't be hard at all to have the proposed bill do something about all IoT security on the private, business, and government sectors.

    It sounds more to me of these senators are more worried about the security of what happens behind closed doors than consumers. The talk of consumer security later feels like it is just there to placate us. I don't know if these particular senator's jobs are up for voting on in 2018, but 2018 is just around the corner and some senate seats are sure to be up for election. I'm sure with the way voting has gone recently, they have wised up enough to avoid alienating the voters that pay attention instead of counting on a blind following.
    Reply
  • Marcus52
    They seem to be unaware that government entities are just as threatened by insecure consumer devices as consumers are.
    Reply
  • boosted1g
    20012994 said:
    They seem to be unaware that government entities are just as threatened by insecure consumer devices as consumers are.

    This is another time where I have to wonder if the congressmen are seriously that ignorant, or if it is more back-table dealing with lobbyists/corporations.
    Any government entity should have their own IA and/or DISA requirements to meet, which would include things like don't use the default password. Not to mention that any facility with anything sensitive should logically have some firewall rules in place. Thus 90% of the insecurities should already be taken care of.
    So by regulating JUST the government devices all it is really going to do is greatly increase the cost for government purchase of the accredited IOT device and offer very little additional security.
    Reply
  • falchard
    Bi-partisan. When you decide to take all the negative traits of one party and combine them with the negative traits of the other party to create a bill that has no redeeming qualities.
    Reply
  • Josh Mahurin
    Ron Wyden is from Oregon fyi
    Reply