U.S. lawmakers unveiled a bill this week that, if passed, would set basic security standards for connected devices from wearables to environmental sensors purchased by federal agencies.
The bill, called the Internet of Things Cybersecurity Improvement Act of 2017, would require devices to have software that can be patched and passwords that can be altered before being sold to the U.S. government. Without such capabilities, experts warn, everything from internet routers to security cameras could be left open to digital threats.
The sponsors of the bill include Republican senators Cory Gardner and Steve Daines and Democratic senators Ron Wyden and Mark Warner, the co-chair of the Senate Cybersecurity Caucus. Last year, Warner also raised concerns to regulators about internet-connected toys recording conversations and collecting data from children.
The legislation comes almost a year after a malicious strain of code called Mirai recruited millions of webcams, routers, and other connected gadgets to attack servers that act like the internet’s infrastructure. The so-called Mirai botnet crippled websites in large parts of the United States, making for a spectacular display of the Internet of Things’ frailty.
For years, experts have warned that connected devices could be exposed without ways to patch their software or replace hard-coded passwords set at factories. That is particularly vital since sensors and other electronics could be deployed for decades, giving hackers ample time to, for example, steal personal information or take control of traffic lights.
Ray O’Farrell, chief technology officer of cloud computing firm VMWare, said that the bill would provide “reasonable security recommendations” for federal agencies. The bill also requires that devices employ standard protocols and are not sold with known security vulnerabilities.
Drafted with input from experts from the Atlantic Council and Harvard, the bill would create legal protections for “good-faith” researchers that break into devices to uncover previously unknown security flaws. It would also introduce guidelines to report these vulnerabilities.
Under the bill, agencies would also have to keep an inventory of deployed Internet of Things devices. The Office of Management and Budget will also be tasked with laying out guidelines for simpler devices with “limited” software and processing power, which might include wireless sensors or identification tags.
While the legislation will provide companies with a set of guidelines, it does little to directly regulate security, said Jonathan Zittrain, a founder of Harvard University’s Berkman Klein Center for Internet and Society. But it could motivate companies eyeing sales to the government, which has a $95 billion technology war chest under President Donald Trump’s proposed budget for next year.
“This bill deftly uses the power of the Federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products,” Zittrain said in a statement. “This will help everyone in the marketplace.”