The Internet of Things (IoT), the growing network of Internet connected devices and sensors, will reach over 20 billion devices by 2020. The devices and their data offer substantial consumer benefits and economies of scale, but the relative insecurity and evolving nature of the technology present significant cybersecurity challenges. For example, IoT devices have been used by hackers to launch Distributed Denial of Service attacks on Internet websites, servers and providers. Bipartisan legislation introduced on March 11 seeks to enhance the cybersecurity of Internet-connected devices.
United States Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Maggie Hassan (D-NH) and Steve Daines (R-MT) and Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) have introduced companion legislation in Congress titled “Internet of Things (IoT) Cybersecurity Improvement of 2019.” The legislation follows a similar bill that failed during the last congressional session.
The legislation seeks to impose the following:
· Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing secure development, identity management, patching and configuration of IoT devices.
· Direct the Office of Management and Budget (OMB) to issue guidelines for governmental agencies that are consistent with the NIST recommendations and charge OMB with reviewing these policies at least every five years.
· Require any Internet-connected devices purchased by the federal government to comply with these recommendations.
· Direct NIST to interact with cybersecurity researchers and industry experts to publish guidelines on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
· Require contractors and vendors providing IoT devices to the federal government to adopt coordinated vulnerability disclosure policies.
Several security firms and groups are publicly backing the legislation, including Symantec, Cloudflare and researchers at prominent universities including Harvard and Stamford.
The proposed federal legislation is comparable to California SB 327, the country’s first IoT security law, which passed in September 2018. The California law imposes specific security measures that device makers must meet, such as removing default passwords and requiring users to generate their own passwords before allowing device access.
As IoT devices integrate into our daily business dealings and personal comforts, we must understand collectively and individually the risks that come with the benefits. We will monitor the proposed federal legislation and comparable state laws and report on the evolving legal protective measures on this blog.