Hassan among bipartisan group targeting IoT cybersecurity
Legislation would require national standard for all devices used by federal government
A bipartisan group of U.S. Senate and House members – including U.S. Maggie Hassan of New Hampshire – have introduced the Internet of Things Cybersecurity Improvement Act, which would require that devices purchased by the U.S. government meet certain minimum security requirements.
Besides Hassan, the legislation is being introduced in the Senate by U.S. Sens. Mark R. Warner, D-Va., and Cory Gardner, R-Colo., co-chairs of the Senate Cybersecurity Caucus, along with U.S. Sen. Steve Daines, R-Mont., and Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas, who are introducing companion legislation in the House of Representatives.
No national standard currently exists for IoT security, with each manufacturer free to decide how secure they want their devices to be. The proposed legislation would address that issue by requiring minimum security standards for any IoT device used by the federal government.
The Internet of Things – the term used to describe the growing network of internet-connected devices and sensors – is expected to grow to over 20 billion devices by 2020. At a hearing of the Senate Armed Services Committee last year, Defense Intelligence Agency Director Lt. General Robert Ashley, described exploitation of insecure IoT devices as one of the two “most important emerging cyber threats to our national security.”
“With everything from LED lights to thermostats connected to the internet, we need to act swiftly to step up security for internet of things devices to prevent hackers from disrupting our economy and threatening public safety,” Sen. Hassan said. “By requiring the federal government to only purchase devices that meet certain cybersecurity standards, this bill will help protect federal agencies against hackers who are seeking to exploit internet of things devices in order to steal critical national security information and the private data of Granite Staters and Americans.”
Specifically, the legislation would:
- Require the National Institute of Standards and Technology to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
- Direct the Office of Management and Budget to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
- Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
- Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
• Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.