New Bill Aims to Address Gaping Holes in IoT Security
A bipartisan group of U.S. senators is hopeful that new legislation could fill holes in the way Internet of Things (IoT) devices are secured – typically as an afterthought – at least for public sector buyers.
The new bill, introduced on Tuesday, would require vendors that provide connected equipment to the U.S. government ensure products are patchable and meet industry security standards, according to Reuters.
Under this bill, devices that have unchangeable passwords or possess known security vulnerabilities would be banned from government use. It would also allow federal agencies to ask the U.S. Office of Management and Budget for permission to buy non-compliant devices if other controls were in place, Reuters reports.
Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation.
“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” Sen. Warner said in a statement. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
The bill will also include protections for cyber researchers who are working in good faith to find IoT vulnerabilities, such as the recently discovered Devil’s Ivy.
In a recent survey of 500 IT executives, 48 percent of firms reported to have experienced at least one IoT security breach. Interestingly, companies that have not experienced a security breach have invested 65 percent more on IoT security than those who have been breached, according to the same report.
In the public sector, IoT is still in its infancy across the federal and local levels of government, and because it’s an emerging technology “it can be expensive and it is relatively untested,” according to Joshua New, policy analyst at the Center for Data Innovation in an interview with GovTech. And like any new technology, risks around security can make it even harder for the public sector to adopt.
Its supporters hope that this legislation could address that, even as they try to take the “lightest touch possible.”
“Through their spending power, governments can drive the focus and accelerate the adoption of IoT technologies and solutions. In aggregate, governments represent a huge global market,” said Maciej Kranz, who is the best-selling author of Building the Internet of Things and Cisco’s vice president of the Corporate Technology Group.
“Their priorities, what they choose to buy, and what problems they choose to address can drive the roadmaps of IoT technology and solution providers. Military requirements, for example, have accelerated the technology development and adoption of drones, wearables, sensors (especially bio-sensors), and many IoT communication technologies.”
Indeed, the biggest spenders on IoT within the public sector are military and law enforcement. According to a report released last year by Govini, the “Department of Homeland Security and Department of Justice have tripled their spending on equipment and services related to the Internet of Things (IoT) over the past six years.”