US Senate IoT security bill aims to set basic standards

August 08, 2017 // By Rich Pell
Several U.S. senators have introduced legislation aimed at improving the cybersecurity of Internet of Things (IoT) devices.

Called "The Internet of Things Cybersecurity Improvement Act of 2017," the bill would "provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes." In other words, it would require that IoT device makers meet certain communication, encryption, and peripheral connection security standards for any such products sold to federal agencies.

Introduced by Senators Mark Warner, Cory Gardner, Ron Wyden, and Steve Daines, the bipartisan bill would, among other things, require that devices be able to be patched with security updates. It also would prohibit the use of hard-coded passwords in devices' firmware - a vulnerability that has been exploited by hackers.

According to Recode, the bill would also allow independent testers to test the cybersecurity defenses of IoT devices and then report the results back to manufacturers without fear of liability. Senator Warner told the technology news site that - while the bill does not directly address consumer products – the vast "purchasing power" of the federal government might spur security improvements in IoT devices sold to consumers.

In an official statement, Warner said, "While I’m tremendously excited about the innovation and productivity that Internet of Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place."

"This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products."

Warner had also told Recode that currently there is no comprehensive accounting of the IoT devices that the U.S. government owns or operates. Warner had previously pushed the Federal Trade Commission (FTC) to look into protecting children's privacy from Internet-connected smart toys.

The Internet of Things Cybersecurity Improvement Act of 2017