Legislation to ensure that the government’s Internet of Things hardware meets minimum cybersecurity standards has returned for the 116th Congress, as the public and the government grow more aware of the dangers of poorly designed and configured IoT sensors.
The bipartisan Internet of Things (IoT) Cybersecurity Improvement Act of 2019, introduced Monday on both sides of the Capitol, follows a similar bill that stalled in the previous Congress. As before, the goal is to ensure that all government agencies are operating under the same set of security guidelines when they buy IoT devices, which have a wide range of civilian and military uses.
“As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks,” said bill co-sponsor Sen. Cory Gardner, R-Colo., in a joint news release from the office of Sen. Mark Warner, D-Va.
Under the legislation, the National Institute of Standards and Technology (NIST) would issue recommendations on the development, configuration, identity management and patching of IoT devices. The Office of Management and Budget would then “issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years,” according to the news release. Vendors would have to meet those guidelines to sell their devices to the government.
NIST also would have to work with the industry on how to disseminate information about vulnerabilities in devices that the government has purchased. The agency already has made a deep mark on cybersecurity in general, with its popular framework for protecting networks in the public and private sectors.
In the House, Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas, are introducing the bill, as they did in the last Congress. Kelly was circulating a draft version in late 2018.
“Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices,” Kelly said.
The release from Warner and Gardner included support from various experts and industry leaders. Manufacturers of IoT devices have notoriously slipped up in providing minimum levels of security, leading to high-profile incidents such as the proliferation of the Mirai botnet, which used thousands of IoT devices in distributed denial-of-service cyberattacks from 2016 onward.
“As IoT devices increasingly bring greater productivity and quality of life to consumers and businesses across sectors, we must be proactive in addressing the unique security considerations they bring,” said Tommy Ross, senior policy director of BSA | The Software Alliance.
A potential upshot of the legislation, the sponsors said, would be to prompt the industry itself to apply such standards across all products, not just the ones it sells to the government.
Sens. Maggie Hassan, D-N.H., and Steve Daines, R-Mont., are also sponsors of the Senate version.