On August 1st, U.S. Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), along with Senators Ron Wyden (D-OR) and Steve Daines (R-MT) introduced bipartisan legislation to improve the cybersecurity of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require that devices purchased by the U.S. government meet certain security requirements, which include:
Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
Require each executive agency to inventory all Internet-connected devices in use by the agency.
The bill has endorsements from several organizations, including the Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Symantec, TechFreedom, and VMware. For a full list of endorsements, and to read a one-page fact sheet on the bill, please click here.