Senators Steve Daines (R-MT), Mark Warner (D-VA), Cory Gardner (R-CO), and Ron Wyden (D-OR) recently proposed the “IoT Cybersecurity Improvement Act of 2017,” which establishes a certain set of “cybersecurity operational standards for Internet-connected devices purchased by Federal agencies.” These Internet-connected devices are “capable of connecting to and is in regular connection with the Internet; and has computer processing capabilities that can collect, send, or receive data,” as stated by this legislation. This bipartisan bill is one of the first attempts to improve protection from hacks of all kinds – surfacing partly as a response to last fall’s colossal denial-of-service (DDoS) attack that infected millions of Internet of Things (IoT) devices and resulted in massive congestion and network collapse.
If the bill is successful, the Office of Management and Budget (OMB) would need to require U.S. federal agencies to supply contract arrangements for purchased IoT products. Within these contracts, internet-connected devices must allow for security updates, must not use fixed passwords, and not possess any known vulnerabilities. While this is a forward step in securing U.S. networks against hacks, some have pointed to the hope that the government was not in the habit of purchasing insecure IoT products in the first place. Law experts expect little opposition since this piece of legislation focuses on only devices installed in government networks as opposed to all IoT devices.
The Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) would also undergo revisions. This legislation would take away risks for security investigators, providing more authorization for research on vulnerable devices. These amendments will also not remarkably trouble manufacturers of devices. The OMB would have to create and sustain an open-sourced database of devices and their manufacturers, which include limitations of liability and notifications of discontinuing security support sent to the government.
Read more here – “Draft IoT Legislation Increases Obligations on Contractors and Promotes Vulnerability Disclosure,” (Megan Brown, Matthew Gardner, Moshe Broder, WileyConnect)