Bipartisan legislation aims to tighten cybersecurity

AUGUST 4, 2017—In a sign of growing concerns about hacking, Senator Mark R. Warner (D-VA) recently introduced S. 1691, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, which would require U.S. government connected devices to meet minimum cybersecurity requirements.

Senator Warner was joined by Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Senators Ron Wyden (D-OR) and Steve Daines (R-MT) in introducing the bipartisan legislation.

The legislation would require federal contractors who supply IoT devices to the U.S. government ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities.

Tech and security experts from institutions such as the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University were consulted in drafting the bill. The legislation also promotes security research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers abiding by those policies.

While IoT devices present consumers, government and companies with enormous opportunities to improve and transform their every day lives, business models and processes. Of course, as demonstrated by recent disruptive global malware attacks such as the Wanna Cry malware attack, they also present potentially devastating vulnerabilities to hackers. The attack this past May reportedly impacted about 230,000 computers in 150 countries.

“Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, or spill over to people who aren’t the purchasers,” said Jonathan Zittrain, Co-Founder of Harvard University’s Berkman Klein Center for Internet & Society. “This bill deftly uses the power of the Federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products. This will help everyone in the marketplace, including non-governmental purchasers and the vendors themselves, since they’ll be encouraged together to take steps to secure their products.”