By 2020, the internet of things is expected to include over 20 billion devices, which collect and transmit an enormous amount of data. Much of that information is at risk because of security issues such as factory-set, hardcoded passwords that are unable to be updated or patched.
“DDoS offender capabilities have rapidly evolved over the past year, enabling them to launch bigger attacks than ever before,” according to a report by Imperva, a web security software company. “The shift in the threat landscape is being driven by the emergence of botnets leveraging lax password management practices and security vulnerabilities found in IoT devices.”
One DDoS attack last year brought down the Minnesota Courts website for 10 days, according to Government Technology magazine.
U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-OR) and Steve Daines (R-MT) have introduced bipartisan legislation to improve the cybersecurity of Internet-connected devices.
The “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” would require that devices purchased by the U.S. government meet certain minimum security requirements.
Under the terms of the bill, vendors who supply the U.S. government with IoT devices would have to ensure that their devices are patchable, rely in industry standards, do not include hard-coded passwords, and are free of known security vulnerabilities.
The bill, drafted in consultation with the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, also promotes security research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers abiding by those policies.
“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Sen. Warner. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
The bill has endorsements from the Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Mozilla, Cloudflare, Neustar, the Niskanen Center, Symantec, TechFreedom, and VMware.