A bipartisan group of U.S. senators this week introduced the Internet of Things Cybersecurity Improvement Act of 2017, which sets minimum requirements for the security of Internet-connected devices purchased by the U.S. government, and provides legal protections to security researchers.
It's a basic steps forward for IoT device security, but a solid one -- requirements laid out by the legislation include (1) that Internet-connected devices be patchable, (2) that they rely on industry standard protocols, (3) that they don't leverage hard-coded passwords that can't be changed, and (4) that they don't have any known security vulnerabilities.
The bill also directs the Office of Management and Budget to develop alternative security requirements for devices with limited data processing and software functionality, and requires each executive agency to inventory all Internet-connected devices in use.
The bill broadly defines an Internet-connected device as any object that "is capable of connecting to and is in regular connection with the Internet," and "has computer processing capabilities that can collect, send, or receive data."
Shifting the Focus to Security
"While I'm tremendously excited about the innovation and productivity that Internet of Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place," Sen. Mark Warner said in a statement.
"This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices," Warner added. "My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products."
Arxan Technologies VP EMEA Mark Noctor told eSecurity Planet by email that he hopes the new bill will serve as an example to other governments worldwide to secure their own markets. "While there has been useful work in the area from bodies such as ENISA in Europe, it appears that an act of law is the best way to get vendors to ensure security," he said.
"While the focus on basic measures such as password management is a good starting point, we'd also like to see future legislation build on this to require more advanced security measures, such as using code hardening to protect a connected device's software from being broken into and reverse engineered for malicious purposes," Noctor said.
Encouraging Security Research
Notably, the bill also seeks to encourage security research by providing legal protections to security researchers who follow vulnerability disclosure policies, and directs the Department of Homeland Security to issue guidelines on vulnerability disclosure policies to be required by contractors providing Internet-connected devices to the U.S. government.
"I've long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act," Sen. Ron Wyden said in a statement. "This bill is a bipartisan, common-sense step in the right direction."
"This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company," Wyden added. "Enacting this bill would also help stop botnets that take advantage of Internet-connected devices that are currently ludicrously easy prey for criminals."