Senators offer bill to boost security of internet-connected devices

 Senators offer bill to boost security of internet-connected devices
© Greg Nash

A bipartisan group of senators unveiled legislation Tuesday to bring more security to internet-connected devices, often referred to as the "internet of things." 

Sens. Mark WarnerMark Robert WarnerKey House Dem's objections stall intel bill as deadline looms Russia docs order sets Trump on collision with intel community Hillicon Valley: North Korean IT firm hit with sanctions | Zuckerberg says Facebook better prepared for midterms | Big win for privacy advocates in Europe | Bezos launches B fund to help children, homeless MORE (D-Va.), Steve Daines (R-Mont.), Cory GardnerCory Scott GardnerSome employees' personal data revealed in State Department email breach: report Colorado governor sets up federal PAC before potential 2020 campaign Hillicon Valley: Trump signs off on sanctions for election meddlers | Russian hacker pleads guilty over botnet | Reddit bans QAnon forum | FCC delays review of T-Mobile, Sprint merger | EU approves controversial copyright law MORE (R-Colo.) and Ron WydenRonald (Ron) Lee WydenDems offer resolution to force vote to overturn IRS guidance limiting donor disclosure Hillicon Valley: NYT says Rosenstein wanted to wear wire on Trump | Twitter bug shared some private messages | Vendor put remote-access software on voting machines | Paypal cuts ties with Infowars | Google warned senators about foreign hacks Overnight Health Care: Opioids package nears finish line | Measure to help drug companies draws ire | Maryland ObamaCare rates to drop MORE (D-Ore.) introduced the "Internet of Things Cybersecurity Improvement Act of 2017."

“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Warner in a statement announcing the bill. 


“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices," he added.

Internet-connected devices raise a number of problems in cybersecurity. Hackers can take over vast arrays of connected devices and synchronize them to overwhelm a targeted server with requests, knocking it offline – an attack known as a distributed denial of service. This kind of attack felled a critical internet switchboard in October of last year, briefly knocking sites from Twitter to The New York Times offline.

Hackers can also use internet-connected devices, including baby monitors and talking dolls, to snoop on their users or to converse directly with them without permission. In some cases, hackers can cause real-world damage by sabotaging the device.

The bill would limit government purchases of internet-connected devices to those meeting minimal security standards, require agencies to catalog internet-connected devices in their possession and tweak copyright laws to allow researchers to check device security, provided they responsibly disclose their findings. The bill would also call for the Office of Management and Budget to develop security standards for devices lacking the technological resources to be as big a threat and for the NSA to develop standards for researchers to contact government contractors with security flaws found in their products. 

Many devices are currently not updatable, meaning they can never patch security flaws. 

Researchers have lobbied for a change to copyright laws for many years, noting that it stifles needed security testing. The 20-year-old Digital Millennium Copyright Act (DMCA) prohibits anyone from circumventing technology copyright protections even for reasons that would not violate a copyright. That means internet-connected devices that take any measure to protect the coding of a machine can never have that coding audited by a researcher. 

The Library of Congress, which has authority on granting exemptions to the DMCA, exempted a handful of devices for research purposes, including voting machines. 

The bill has racked up endorsements from prominent security, internet and privacy researchers, including Harvard's Jonathan Zittrain and Bruce Schneier; industry executives, including Jeff Greene, senior director of global government affairs and policy at Symantec; and leaders at digital liberties groups, including Michelle Richardson, deputy director of the Freedom, Security and Technology Project at Center for Democracy and Technology.

"Poor cyber hygiene represents a public health issue — and even threat to human life," reads a testimonial from Josh Corman, director of the Atlantic Council's Cyber Statecraft Initiative and creator of the internet of things security advocacy group "I am the Cavalry."

"It is encouraging to see what the federal government can do to raise the bar," he said.