Senators offer bill to boost security of internet-connected devices

 Senators offer bill to boost security of internet-connected devices
© Greg Nash

A bipartisan group of senators unveiled legislation Tuesday to bring more security to internet-connected devices, often referred to as the "internet of things." 

Sens. Mark WarnerMark Robert WarnerLawmakers react to guilty verdict in Chauvin murder trial: 'Our work is far from done' Manchin throws support behind union-backed PRO Act New US sanctions further chill Biden-Putin relations MORE (D-Va.), Steve Daines (R-Mont.), Cory GardnerCory GardnerBiden administration reverses Trump changes it says 'undermined' conservation program Gardner to lead new GOP super PAC ahead of midterms OVERNIGHT ENERGY: Court rules against fast-track of Trump EPA's 'secret science' rule | Bureau of Land Management exodus: Agency lost 87 percent of staff in Trump HQ relocation | GM commits to electric light duty fleet by 2035 MORE (R-Colo.) and Ron WydenRonald (Ron) Lee WydenHillicon Valley: Tech companies duke it out at Senate hearing | Seven House Republicans vow to reject donations from Big Tech Overnight Energy: Biden will aim to cut US emissions in half by 2030 | Oil and gas leasing pause on public lands will last at least through June Senate Democrats introduce bill to reform energy tax credits MORE (D-Ore.) introduced the "Internet of Things Cybersecurity Improvement Act of 2017."

“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Warner in a statement announcing the bill. 


“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices," he added.

Internet-connected devices raise a number of problems in cybersecurity. Hackers can take over vast arrays of connected devices and synchronize them to overwhelm a targeted server with requests, knocking it offline – an attack known as a distributed denial of service. This kind of attack felled a critical internet switchboard in October of last year, briefly knocking sites from Twitter to The New York Times offline.

Hackers can also use internet-connected devices, including baby monitors and talking dolls, to snoop on their users or to converse directly with them without permission. In some cases, hackers can cause real-world damage by sabotaging the device.

The bill would limit government purchases of internet-connected devices to those meeting minimal security standards, require agencies to catalog internet-connected devices in their possession and tweak copyright laws to allow researchers to check device security, provided they responsibly disclose their findings. The bill would also call for the Office of Management and Budget to develop security standards for devices lacking the technological resources to be as big a threat and for the NSA to develop standards for researchers to contact government contractors with security flaws found in their products. 

Many devices are currently not updatable, meaning they can never patch security flaws. 

Researchers have lobbied for a change to copyright laws for many years, noting that it stifles needed security testing. The 20-year-old Digital Millennium Copyright Act (DMCA) prohibits anyone from circumventing technology copyright protections even for reasons that would not violate a copyright. That means internet-connected devices that take any measure to protect the coding of a machine can never have that coding audited by a researcher. 

The Library of Congress, which has authority on granting exemptions to the DMCA, exempted a handful of devices for research purposes, including voting machines. 

The bill has racked up endorsements from prominent security, internet and privacy researchers, including Harvard's Jonathan Zittrain and Bruce Schneier; industry executives, including Jeff Greene, senior director of global government affairs and policy at Symantec; and leaders at digital liberties groups, including Michelle Richardson, deputy director of the Freedom, Security and Technology Project at Center for Democracy and Technology.

"Poor cyber hygiene represents a public health issue — and even threat to human life," reads a testimonial from Josh Corman, director of the Atlantic Council's Cyber Statecraft Initiative and creator of the internet of things security advocacy group "I am the Cavalry."

"It is encouraging to see what the federal government can do to raise the bar," he said.