Hurd bill seeks to strengthen security of federal government’s IoT devices

U.S. Rep. Will Hurd (R-TX) on March 11 signed on as the lead original cosponsor of bipartisan, bicameral legislation that would bolster the federal government’s cybersecurity around its internet of things (IoT) devices.

“This is groundbreaking work and IoT devices must be built with security in mind, not as an afterthought,” Rep. Hurd said. “This bipartisan legislation will make Internet of Things devices more secure and help prevent future attacks on critical technology infrastructure.”

The IoT is a network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment, according to research and advisory firm Gartner Inc., and may include connected security systems, thermostats, cars, electronic appliances, speaker systems, and vending machines, among many others.

“Internet of Things devices will improve and enhance nearly every aspect of our society, economy and our day-to-day lives,” said Rep. Hurd, cosponsor of the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, H.R. 1668.

The bill, sponsored by U.S. Rep. Robin Kelly (D-IL), would require that devices purchased by the U.S. government meet certain minimum security requirements to keep Americans’ personal data safe from hackers, according to a bill summary provided by Rep. Hurd’s office. 

Among the 11 other cosponsors joining Rep. Hurd in introducing H.R. 1668 is U.S. Rep. John Ratcliffe (R-TX). A U.S. Senate companion bill, the same-named S. 734, was introduced on March 11 by U.S. Sens. Cory Gardner (R-CO) and Mark Warner (D-VA), co-chairs of the Senate Cybersecurity Caucus, and U.S. Sen. Steve Daines (R-MO).

With some 20 billion devices expected to be in use by 2020, IoT devices and sensors also have the potential to execute distributed denial of service (DDoS) attacks on websites, servers and internet infrastructure providers, according to Rep. Hurd, formerly a cybersecurity entrepreneur and CIA officer. 

The IoT Cybersecurity Improvement Act would address such DDoS issues, as well as any supply chain risks caused by insecure IoT devices, and would create minimum security requirements for any IoT devices purchased by the U.S. government.

Additionally, among other provisions, the bill would require the National Institute of Standards and Technology to make recommendations related to secure development, identity management, patching, and configuration management for IoT devices, and would require any federal government IoT devices to comply with such recommendations, according to Rep. Hurd’s statement.

“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure,” said Rep. Kelly. “Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices.”  

Sen. Gardner said that as IoT devices add numerous new entry points into American networks, Congress should ensure “they are secure, particularly when they are integrated into the federal government’s networks.”

Industry support for the bill already has been received by groups including BSA | The Software Alliance, Symantec, the Identification Technology Association, Rapid7, CTIA, Mozilla, Cloudfare, and others.

H.R. 1668 has been referred for consideration to both the U.S.House Oversight and Reform Committee and the U.S. House Science, Space, and Technology Committee. 

S. 734 is under review by the U.S. Senate Homeland Security and Governmental Affairs Committee, where the same-named S. 1691 was considered during the 115th Congress.