Gardner, Daines bill seeks to strengthen security of internet of things devices for federal agencies

Internet-connected devices purchased by the federal government would have to meet minimum cybersecurity requirements to prevent hacking under legislation introduced by U.S. Sens. Cory Gardner (R-CO) and Steve Daines (R-MT) on Wednesday.

The network of internet-aware devices and sensors is expected to grow to 20 billion by 2020, and so-called internet of things (IoT) devices have been used to carry out distributed denial of service (DDoS) attacks on websites, servers and internet infrastructure providers over the last year.

Under the Internet of Things Cybersecurity Improvement Act of 2017, vendors that provide internet-connected devices to the federal government would have to meet basic security requirements, such as ensuring the devices are patchable, have passwords that can be changed and have no security vulnerabilities.

“IoT landscape continues to expand, with most experts expecting tens of billions of devices operating on our networks within the next several years,” Gardner, a co-chair of the Senate Cybersecurity Caucus, said. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyberattacks.”

Under the bill, the Office of Management and Budget would develop custom network-level security requirements for devices with limited data processing capabilities and functionality, and the Department of Homeland Security would draft vulnerability disclosure policies for vendors.

“Information is a form of currency,” Daines said. “We need to have proper safeguards in place to ensure that our information is protected while still encouraging innovation.”

Executive agencies would be required to take inventory of all IoT devices under the bill, and cybersecurity researchers would be exempt from liability deriving from vulnerability disclosure guidelines under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when engaged in good faith research.

Jonathan Zittrain, the co-founder of the Berkman Klein Center for Internet & Society at Harvard University, said internet-aware devices create deep and novel security issues, but problems sometimes arise only months or years after purchase.

“This bill deftly uses the power of the federal procurement market, rather than direct regulation, to encourage internet-aware device makers to employ some basic security measures in their products,” Zittrain said. “This will help everyone in the marketplace, including non-governmental purchasers and the vendors themselves, since they’ll be encouraged together to take steps to secure their products.”

Gardner and Daines introduced the bill with bipartisan support from U.S. Sens. Mark Warner (D-VA) and Ron Wyden (D-WI).

“This bipartisan, common sense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space,” Gardner said.