A bipartisan group of senators are calling on Congress to adopt security standards for for internet-connected devices bought by the government in a bid to further secure the nation’s computer systems from cyberattacks.
The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would mandate that connected devices purchased by the government meet specific security standards if passed as lawmakers look to safeguard against cyberattacks spread by IoT products in the wake of a debilitating outbreak last October blamed on the Mirai botnet, a network of infected devices harnessed by hackers to cause large-scale internet outages in the U.S. and abroad.
The legislation was introduced Tuesday by the co-chairs of the Senate Cybersecurity Caucus, Mark Warner, Virginia Democrat, and Cory Gardner, Colorado Republican, along with Sens. Ron Wyden, Oregon Democrat, and Steve Daines, Montana Republican. It was drafted in consultation with experts from the Atlantic Council and the Berkman Klein Center for Internet & Society at Harvard University, among others, and has already amassed the support of tech companies including Mozilla, Cloudflare and Symantec.
“This legislation would establish thorough, yet flexible, guidelines for federal government procurements of connected devices,” Mr. Warner said. “My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
In the case of Mirai, hackers compromised vulnerable household internet-connected devices ranging from webcams to routers and then used them to wage a massive distributed denial-of-service (DDoS) attack, a rudimentary but effective tactic used to logjam the internet by overloading web servers with illegitimate traffic, subsequently rendering high-profile websites including Twitter and Netflix unavailable to millions and triggering responses from federal agencies the world over including the U.S. Department of Homeland Security and FBI, among others.
About 20 billion IoT devices are expected to be online by 2020, and backers of the bill believe implementing security requirements at a federal level will force manufacturers to create less vulnerable products and in turn a more secure digital environment.
“We urgently need to start securing the internet of things, and starting with the government’s own devices is an important first step,” said Michelle Richardson, deputy director of the Freedom, Security and Technology Project at the Center for Democracy and Technology in D.C.
Specifically the bill would prohibit the government from purchasing IoT devices shipped with factory-set, hard-coded passwords, as well as products that can’t be updated, don’t use industry standard protocols or contain known security vulnerabilities. Another provision would implement safeguards designed to let security researchers test products for vulnerabilities without fear of prosecution or litigation, while another would require the government to take inventory of all internet-connected devices in use.
The federal government is expected to spend as much as $95 billion on tech next year, ReCode reported. Internationally, meanwhile, IoT spending could climb as high as $1.4 trillion by 2021.