Congress is running out of time to move on an internet-of-things security bill offered by Sen. Mark Warner, but the Virginia Democrat is hopeful agencies can pitch in with their own rules.
Sen. Mark Warner (Photo credit: Mark Reinstein/Shutterstock)
It's no secret the internet of things is plagued by security gaps. Devices are shipped with hard-coded passwords and operating systems and firmware that can't be updated over the air. Not only are unsecured IoT devices vectors for leaking user data, but they can also be harnessed by botnet operators to conduct large-scale cyberattacks, such as the Mirai attacks of 2016.
So far, no U.S. agency or entity has taken the lead on developing standard or guidelines for IoT security. The Consumer Product Safety Commission is looking at physical threats posted by connected devices but has bowed out of the data security piece. The National Institute of Standards and Technology is accepting comments on a draft guidance that calls out various risks posed by the IoT ecosystem and possible ways to mitigate those risks.
Sen. Mark Warner (D-Va.), the vice chairman of the Senate Select Intelligence Committee, is concerned about cybersecurity risks posed by the IoT ecosystem, and he thinks federal purchasing power can influence manufacturers to build better security into their devices.
Warner, along with Sen. Cory Gardner (R-Colo.), introduced the Internet of Things Cybersecurity Improvement Act of 2017. The bill prohibits agencies from acquiring IoT devices and sensors that aren't patchable and that don't have changeable passwords. So far the bill hasn't received a hearing or a vote in the Senate Homeland Security and Government Affairs Committee, which has jurisdiction over federal procurement and cybersecurity.
Committee Chairman Sen. Ron Johnson (R-Wis.) "hasn’t been willing to move the legislation," Warner told FCW. With time running out for the current Congress, Warner is looking to a possible administrative approach. This would mean working with the Department of Defense, individual branches of the military or other agencies to have them set procurement rules individually. He also plans to reintroduce the bill next year.
"It's really pretty wild because I've talked to NSA, I’ve talked to DHS, DOD, FBI, they all say this is the minimum we need," Warner said. "They all say they’d like to see stronger security."
Without action at the federal level, state government is looking to take up the task themselves. California has recently signed into law legislation that would require manufacturers to have “reasonable security feature or features.”
“I think state legislation is unhelpful,” said Trevor Rudolph, the vice president for global digital policy at Schneider Electric and former chief of cyber and national security at the Office of Management and Budget. A patchwork of 50 different pieces of legislation could be hard for manufacturers to follow, he said.
But others think the California bill is a step in the right direction. Bruce Schneier, a security technologist at the Harvard Kennedy School, told the Washington Post that it "is going to help everybody."
"Of course it probably doesn’t go far enough -- but that’s no reason not to pass it," he said. "It's a reason to keep going after you pass it."
Federal legislation would help set the standards for IoT technology, provide guidance on how agencies can use it and pave the way for it being “a major piece of digital infrastructure that can be incredibly beneficial," said Joshua New, senior policy analyst at the Center for Data Innovation. "We think passing legislation directing the administration to develop an internet-of-things strategy would be the most effective," he said.
Industry in general is not too keen on the idea of regulation that could provide rules they'd have to follow in manufacturing their products. Industry associations were one of the main opponents of Warner's bill.
Tim Day, the senior vice president of the Chamber Technology Engagement Center, an organization that represents technology companies, testified before a House hearing earlier this summer and said the existing regulations should be reviewed to ensure they “do not constitute unintentional barriers” for companies.
“Much like the Internet’s earlier phases, IoT will flourish under a flexible, non-regulatory policy regime,” Day said in his testimony.
Warner remains adamant that his bill is common sense and not political.
"There is nothing partisan about this, there is absolutely top-line, broad-based agreement," he said. "But with the amount of devices that are being purchased on a daily basis, the fact that we’re not doing this is just crazy."
NEXT STORY: Federal DMARC compliance spikes up