Following GAO Report, Legislatures Proffer Plan to Harden IoT Devices

A bill introduced earlier this week in the United States Senate aims to bolster the security of Internet-connected devices by using the vast-purchasing power of the United States Government to enforce a baseline security standard.

The bill, dubbed the Internet of Things Cybersecurity Improvement Act of 2017 (IoT-CIA), was introduced by senators Warner, Gardner, Wyden, and Daines.

The bill doesn’t aim to regulate all IoT devices, rather it provides for a baseline security standard for IoT devices bought by the U.S. government. Some of the requirements in the bill include the elimination of hardcoded passwords in devices, no known vulnerabilities at time of shipment, and manufactures must provide a way to deliver authenticated software updates, such as security patches.

It’s mind-boggling IoT device makers don’t do all of this on their own. And while IoT-CIA doesn’t call for a de-facto security standard for IoT devices, it will force any IoT device maker that wants to sell into the federal market to meet the standards, if the legislation becomes law. That would be a considerable amount of market pressure put into play.

Finally, the bill calls for considerable changes that impact security research regarding the Computer Fraud and Abuse Act (CFAA) and Digital Millennium Copyright Act (DMCA). The bill would remove the legal jeopardy security researchers face when researching these devices. This is something that has irked the information security community for years, with white hat security researchers being at legal risk for scouring devices for potential vulnerabilities.

According to a statement from Sen. Warner’s office, the bill would “exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.”

The move comes following a series of IoT-fueled attacks and a report from the U.S. Government Accountability Office (GAO), Internet of Things: Status and Implications of an Increasingly Connected World.

The report authors pegged information security as the top concern around IoT. “The IoT brings the risks inherent in potentially unsecured information technology systems into homes, factories, and communities. IoT devices, networks, or the cloud servers where they store data can be compromised in a cyberattack,” the report said.

Another issue the report cited is the impact connected IoT devices will have on physical safety. “Researchers have demonstrated that IoT devices such as connected automobiles and medical devices can be hacked, potentially endangering the health and safety of their owners. For example, in 2015, hackers gained remote access to a car through its connected entertainment system and were able to cut the brakes and disable the transmission,” the report said.

The report did issue a call for standards that would provide for technical standards for IoT devices to communicate securely and easily, and recognized that mitigating digital risks associated with IoT devices requires long-standing advice such as enticing device makers to design, prioritize, and build security into their devices, and conduct risk assessments at the beginning, then test security defenses before devices are sent to market. That’s exactly what this bill aims to force on any vendors that wish to sell IoT devices into the federal marketplace.