A bipartisan group of lawmakers unveiled legislation Monday that would create cybersecurity standards for Internet of Things (IoT)-connected devices.
The bill, introduced in the Senate by Sens. Mark Warner (D-VA) and Cory Gardner (R-CO) and in the House by Reps. Will Hurd (R-TX) and Robin Kelly (D-IL), would require established standards for government use of the devices.
IoT devices can open the door to potential security issues. Hackers who are able to access one device can sometimes find a way to manipulate other connected items. They can also infiltrate networks or systems linked to the devices.
There has been a rush to get IoT devices to market, but that comes with a drawback.
“IoT device manufacturers have typically deprioritized security in favor of faster time-to-market and lower costs,” said Phil Neray, vice president of Industrial Cybersecurity at CyberX, a Boston-based IIoT & ICS security firm. “As a result, many IoT devices have much weaker security than other devices upon which we depend such as laptops and cell phones, lacking even the most basic security features like simple patching and removal of hard-coded administrative passwords. As a result, IoT devices present a particularly soft target for adversaries, who use them as convenient entry-points to compromise our smart buildings, smart cities, and smart factories. This bipartisan bill is an important step toward steering IoT manufacturers in the direction of stronger security for all devices that fuel our hyper-connected world.”
Government officials, lawmakers and security researchers have pointed to the vulnerabilities created by the interconnected nature of the devices — which can include products from ranging from vehicles to home appliances like doorbells — as a major cybersecurity concern.
Gardner and Warner introduced a different version of the bill in the 115th Congress, but the measure did not advance.
Warner, who co-chairs the Senate Cybersecurity Caucus with Gardner and is vice chairman of the Senate Intelligence Committee, said in a published report he’s concerned about IoT devices “being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security.”
Gardner said as the devices “continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks.”
Under the bill, the National Institute of Standards and Technology (NIST) would create recommendations for the federal government’s use of IoT devices, including establishing minimum security requirements to address the products’ cyber vulnerabilities.
NIST would also be required to issue a report on the increasing use and overlap of IoT devices, including recommendations on how to address cybersecurity issues.
The legislation also would require the Office of Management and Budget (OMB) to create guidelines for the purchase and use of such devices. And the NIST and OMB would have to revisit the policies and recommendations every five years to ensure they are in line with best practices.