A new bill introduced Tuesday by Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., would establish a new set of cybersecurity standards for companies that hope to sell so-called “Internet of Things” devices to federal agencies.
Inconspicuously named the “Internet of Things Cybersecurity Improvement Act of 2017,” the legislation mandates that any IoT product sold to the government must be able to receive software patches in case of a discovered vulnerability. In addition, the bill calls for manufacturers to discontinue the practice of hard-coding passwords into the firmware of devices — a process which is already condemned by security experts. Typically, a hard-coded password is hidden from the user and is intended for the manufacturer’s use only. But hackers have taken advantage of hardcoded passwords to break into IoT devices and incorporate them into distributed denial of service attacks.
Notably, the bill also encourages curious researchers to conduct penetration tests in “good faith” on these IoT devices by setting in place legal precautions that would protect them from potentially violating the Digital Millennium Copyright Act or Computer Fraud and Abuse Act, two outdated and archaic laws that have in the past stemmed innovation in the rapidly changing cybersecurity industry.
Although at the moment the bill only applies to technology firms and contractors that are trying to sell products to federal agencies, the legislative action could have a larger impact on the IoT market as developers seek to attract business from both the government and consumer space.
The federal government is already a major customer of IoT hardware, based on a study conducted by market analysis firm Govini, after it purchased approximately $4 billion worth of “sensors and data collectors” between 2011 and early 2016.
“As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks,” Gardner said in a statement. “This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space.”
It not entirely clear when the bill will move into committee for an official vote.
Market intelligence firm IDC predicted in June that global IoT spending would reach $1.4 trillion by 2021.
The legislations comes after a group of hackers in December overtook and eventually weaponized an arsenal of unsecured IoT devices — most of which were security cameras and DVRs — to launch disruptive cyberattacks against several major internet brands, including Spotify, PayPal and Twitter.