A bipartisan group of US senators is looking to get a better handle on the Internet of Things (IoT) and security as the number of connected devices continues to grow and the federal government invests more in the technology.
Introduced on Tuesday, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 bill would require any IoT device used by the federal government to meet a specific set of security requirements.
The security bill has backing from Republican and Democratic senators, including US Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), who are the co-chairs of the Cybersecurity Caucus, as well as Sens. Ron Wyden (D-OR) and Steve Daines (R-MT).
At the minimum, the proposed bill would require government contractors who are supplying IoT devices to ensure that sensors and other hardware are patchable, that these devices do not include hard-coded passwords and that IoT devices are free of any known security vulnerability before they are installed.
In short, ensuring basic networking and IoT security before an agency starts hooking these devices to the Internet.
"This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products," Warner wrote in an August 1 statement supporting the bill.
In their statement, the senators point to the growing volume of IoT and connected devices, citing a widely circulated Gartner report that finds connected devices will grow from 8.4 billion this year to over 20 billion by 2020. Spending on IoT and related services is also expected to hit $2 trillion by the end of this year.
If passed, the bill would set minimum standards for IoT security, as well as several other guidelines for handling connected devices. These include:
- Allowing the federal Office of Management and Budget to create alternative network-level security requirements for devices with limited data processing and software functionality.
- Directing the Department of Homeland Security to issue cybersecurity disclosure guidelines to contractors who are supplying connected devices.
- Giving security researchers some liability protection if they are investigating IoT security flaws.
- Requiring each executive agency to inventory all connected devices.
The fact that these senators are recognizing IoT security is a big step in ensuring not only government, but enterprises and consumers are protected as well. Since many connected devices send information back to the cloud, the harm caused by an IoT breach is incalculable.
Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.
One of the major problems with IoT security, which can lead to malware and distributed denial-of-service (DDoS) attacks, is the way these devices are designed.
In a column for our sister site Security Now, Pawani Vaddi, a product manager for consumer devices at Webroot, wrote that IoT developers aren't conscious of building in security at the manufacturing level, which leaves these devices open to attack -- a concern Warner's statement echoed. (See How Secure Are Your IoT Devices?)
Additionally, an IDC report published in June found that spending on IoT hardware security hardware security will increase at a compound annual growth rate (CAGR) of 15.1%, between now and 2021. At the same time, spending on security software will increase at a CAGR of 16.6%. (See IoT Spending Will Reach $1.4T by 2021 – Report.)
In his statement, Warner noted that he's written to the Federal Trade Commission about the data that "smart toys" collect, as well as concerns raised after the Mirai botnet attack that involved IoT devices. (See Level 3's Drew Sees Liability Issues in IoT Botnets.)
— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.