If a bill introduced by Sen. Mark Warner, D-Va., and Sen. Corey Gardner, R-Colo., co-chairs of the Senate Cybersecurity Caucus, becomes a law it would impose a new set of security standards, including providing patchable products, on companies that sell Internet of Thing (IoT) “things” to the government.
Once the law is enacted, agencies must include a clause in their contracts with tech vendors “that requires such Internet-connected device software or firmware component to be updated or replaced, consistent with other provisions in the contract governing the term of support, in a manner that allows for any future security vulnerability or defect in any part of the software or firmware to be patched in order to fix or remove a vulnerability or defect in the software or firmware component in a properly authenticated and secure manner,” according to the proposed Internet of Things Cybersecurity Improvement Act of 2017.”
Under the act device makers couldn't hardcode passwords, which have been exploited in the past to spread malware like in the Mirai attacks, into products sold to the government. A company would have to provide written certification that a device “does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication,” the bill said.
“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products,” Warner said in a release, underscoring his excitement about the potential of the IoT and his concerns “that too many Internet-connected devices are being sold without appropriate safeguards and protections in place.”
Gardner called the bill “bipartisan commonsense legislation' that will ensure “the federal government leads by example” and procures only those devices that meet basic requirements to prevent hacker from penetrating our government systems” or curbing the “life-changing innovations” that define IoT.
Agreeing that IoT “will change the way we do everything,” Phil Reitinger, president and CEO of the Global Cyber Alliance (GCA), praised the IoT Cybersecurity Improvement Act as “an important first step to ensure that manufacturers of IoT devices make cybersecurity part of their products' DNA and the U.S. Government takes security and privacy into account when purchasing IoT.”
The promises of IoT will be met “only if the things that make up the 'Internet of Things' are trustworthy, protect our security and privacy and enable the services on which we rely, like power, communications, and hospital services, to be more resilient,” Reitinger said in comments emailed to SC Media.