New bill would heighten security standards for IoT devices sold to government
A bipartisan group of senators introduced legislation Tuesday that would heighten the cybersecurity standards for companies that hope to sell Internet of Things devices to the federal government.
CyberScoop’s Chris Bing reports that the “Internet of Things Cybersecurity Improvement Act of 2017,” co-sponsored by Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo, mandates that any IoT product sold to the government must be able to receive software patches in case of a discovered vulnerability.
The bill additionally calls for manufacturers to discontinue the practice of hard-coding passwords into the firmware of devices — a process which is already condemned by security experts. Typically, a hard-coded password is hidden from the user and is intended for the manufacturer’s use only. But hackers have taken advantage of hardcoded passwords to break into IoT devices and incorporate them into distributed denial of service attacks.
Although the bill at the moment only applies to technology firms and contractors that are trying to sell products to federal agencies, the legislative action could have a larger impact on the IoT market as developers seek to attract business from both the government and consumer space.
The federal government is already a major customer of IoT hardware, based on a study conducted by market analysis firm Govini, after it purchased approximately $4 billion worth of “sensors and data collectors” between 2011 and early 2016.
“As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks,” said Gardner. “This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space.”