- A group of bipartisan Senators and House members recently introduced legislation that would establish security requirements around IoT devices purchased by government agencies, such as the Department of Health and Human Services.
Introduced by Sens. Mark Warner (D-VA), Cory Gardner (R-CO), Maggie Hassan (D-NH), and Steve Daines (R-MT), alongside Reps. Robin Kelly (D-IL) and Will Hurd (R-TX), the Internet of Things Improvement Act would “use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
The proposed bill would require NIST to issue recommendations that would address the minimum needs for the secure development, identity management, patching, and configuration of IoT devices. NIST would also be tasked with working alongside cybersecurity researchers and other industry experts to publish guidance around coordinated disclosures to ensure device vulnerabilities are addresses.
It would also direct the Office of Management and Budget to issue guidelines for each agency consistent with NIST’s recommendations. OMB would be required to review those policies a minimum of every five years.
The bill would also require all devices purchased by the government to comply with those standards, while establishing the requirement for contractors and vendors providing IoT devices to the government to adopt coordinated vulnerability disclosure policies to ensure that data is disseminated when a flaw is found.
Indeed, a May 2018 Departments of Commerce and Homeland Security report stressed that the federal government should lead by example when it comes to IoT device security, by requiring agencies to only purchase secure and resilient devices.
Many IoT devices are currently being sold without appropriate safeguards or protections in place, “with the device market prioritizing convenience and price over security,” Warner explained.
“The IoT landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” Gardner said in a statement. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks.”
NIST will continue to be a key player in developing those standards and establishing guidelines that will improve IoT device security, explained Gardner. The legislation intends to build on those efforts.
The concern is that an estimated 30 million internet-connected devices in use by 2020, and Kelly said it’s imperative to not “allow them to become a backdoor to hackers or tools for cyberattacks.”
Further, these devices are often shipped with factory-set, hardcoded passwords, and often are unable or difficult to be patched or updated. The Congressional members said that as a result, these devices are used to launch DDoS attacks against websites, web-hosting servers, and internet infrastructure providers.
A recent Check Point study confirmed just that: IoT devices pose a serious risk to IT networks, especially in the healthcare sector. The researchers found the cause is the open source nature of IoT devices and the increase of their data collection, which makes them a prime target for hackers.
NIST also released its own report warning about the cybersecurity vulnerabilities found in IoT devices in October, stressing that IoT devices affect cybersecurity and privacy risks differently than traditional IT devices.
For Hurd, the proposed legislation will ensure “IoT devices [are] built with security in mind, not as an afterthought.”
“By requiring the federal government to only purchase devices that meet certain cybersecurity standards, this bill will help protect federal agencies against hackers who are seeking to exploit internet of things devices in order to steal critical national security information and the private data of… Americans,” Hassan said in a statement.
The bill has support from a wide range of security leaders, including vendors Rapid7 and CTIA.
Warner has made a hard push for cybersecurity efforts across all sectors in recent months. In February, he sent a letter to the American Medical Association, HIMSS, and other healthcare stakeholders to ask these leaders to work with the federal government on short- and long-terms plans to reduce cybersecurity flaws in the healthcare sector.
A few days later, he asked for similar help and recommendations from federal agencies, such as HHS, the Food and Drug Administration, NIST, and others.