Congress

Will warning labels shield users against insecure IoT?

Shutterstock image: illuminated connections between devices. 

A pair of Democratic lawmakers is backing new cybersecurity standards for the internet of things, including a framework to identify and label products.

Rep. Ted Lieu (D-Calif.) and Sen. Ed Markey (D-Mass.) introduced the Cyber Shield Act of 2017 on Oct. 27, which would empower the secretary of the Department of Commerce to create a program to grade and certify industry products that connect to the internet for cybersecurity and data security. It would also establish an advisory committee composed of industry representatives, cybersecurity experts and federal employees to recommend new standards and guidelines for internet of things security to the secretary of Commerce.

"The government and tech companies share an obligation to develop more transparency around the security of our favorite devices," Lieu said in a statement.

According to IT research firm Gartner, by 2020 there will be more than 20 billion devices, products and other "things" connected to the internet worldwide.  That potential reality has policymakers scrambling to determine how best to regulate IoT devices while also deterring hackers who may attempt to leverage their collective computing power to wreak havoc on public and private networks.

In 2016, the Mirai botnet was able to successfully block and slow access to large portions of the internet by taking over and leveraging the collective computing power of thousands of connected devices and executing a distributed denial of service attack on a major internet infrastructure company.

Lieu and Markey's bill is one of several that have been introduced in recent months to bolster the security standards around connected devices. In August 2017, Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) introduced the Internet of Things Cybersecurity Improvement Act, which would put strictures around government acquisition of devices, banning the purchase of unpatchable gear and devices with hard-coded passwords.

Warner and Gardner had investigated and ultimately rejected the warning label approach.

"We were increasingly convinced by talking to industry experts that there is no single static approach," said Rafi Martina, a policy aide to Warner, at an Oct. 25 meeting of the National Institute of Standards and Technology's Information Security and Privacy Advisory Board. A warning label "conveys a false sense of security," Martina explained, especially if "the vendor doesn't commit to patching to maintain the out-of-the-box level of security."

By focusing on the government market, Martina explained, they could commit to avoiding the presence of "smaller fly-by-night" devices -- the "stocking stuffers from the TJ Maxx checkout line" -- while at the same time respecting and encouraging more mature and serious market entrants.

"We need to ensure that the bar is set in line with that level of maturity," Martina said.  

The question remains whether government's purchasing power in the connected devices space will be big enough to contribute to security in the overall ecosystem. Martina said that it would be nice if it did, but what's important is making sure only secure devices ride on federal networks.

"That second-order effect is welcome," Martina said, "but the first order effect -- the higher level security in the government" -- is the main goal of the legislation.

FCW Executive Editor Adam Mazmanian contributed to this story.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.