Senate Cybersecurity Caucus co-chairs Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., partnered with Sens. Ron Wyden. D-Wash., and Steve Daines, R-Mont., to introduce the Internet of Things (IoT) Cybersecurity Improvement Act of 2017.
The IoT has been used to launch harmful distributed denial-of-service attacks in the past year, crippling websites, servers and infrastructure providers. To prevent this and help secure the nation, the act would put forth regulations and requirements for government purchases.
With the expectation of 20 billion devices connected to the IoT by 2020, the need for secure guidelines and requirements is needed. As Gardner says in a press release, “The internet of things landscape continues to expand ... As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyberattacks.”
The act would provide “thorough, yet flexible guidelines” for the procurement of IoT devices, Warner said. He said he hopes the legislation will “remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
More specifically, the act would require vendors to follow guidelines when selling to the government, instruct the Office of Management and Budget to make alternative requirements at the network level for devices containing limited processing and functionality, and instruct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines for vulnerability disclosure policies that contractors would need to follow. In addition, the bill would provide exemptions for cybersecurity researchers following the vulnerability disclosure guidelines and require executive agencies to keep records of all IoT devices used in the agency.
“Information is a form of currency,” Daines stated. “We need to have to proper safeguards in place to ensure that our information is protected while still encouraging innovation.”