Computer science major, CIA undercover officer, cybersecurity entrepreneur, and former IT Subcommittee chair U.S. Representative Will Hurd (TX-23) joined his colleagues to introduce bipartisan legislation to improve the cybersecurity of “Internet-Of-Things” (IoT) Devices. The bill introduced in the House by Hurd and Rep. Robin Kelly (IL-02) and in the Senate by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus.
The bill would establish minimum requirements for Internet-connected devices purchased by the federal government.

The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet specific minimum security requirements to keep Americans' data safe from hackers.

The Internet of Things, the term used to describe the growing network of Internet-connected devices and sensors, is expected to include over 20 billion devices by 2020. While these devices and the data they collect and transmit present enormous benefits to consumers and industry, many devices' relative insecurity presents considerable challenges. Sometimes shipped with factory-set, hardcoded passwords and often unable to be updated or patched, IoT devices can represent a weak point in a network's security, leaving the rest of the network vulnerable to attack. IoT devices have been used by bad actors to launch devastating Distributed Denial of Service (DDoS) attacks against websites, web-hosting servers, and internet infrastructure providers.

The IoT Cybersecurity Improvement Act will address both this market failure and the supply chain risk to the federal government stemming from insecure IoT devices by establishing light-touch, minimum security requirements for procurements of connected devices by the government.

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would:

  • Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
  • Direct the Office of Management and Budget (OMB) to issue guidelines for each agency consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
  • Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
  • Require contractors and vendors to provide IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies so that if a vulnerability uncovered, that information is disseminated.
  • Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.

Hurd said: “Internet of Things devices will improve and enhance nearly every aspect of our society, economy, and day-to-day lives. It is groundbreaking work, and IoT devices must be built with security in mind, not as an afterthought. This bipartisan legislation will make the Internet of Things devices more secure and help prevent future attacks on critical technology infrastructure.”

Rep. Kelly said: “As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure. Everything from our national security to American citizens' personal information could be vulnerable because of security holes in these devices. It's estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”

Sen. Warner said: “While I'm excited about their life-changing potential, I'm also concerned that many Internet-of-Things devices are being sold without appropriate safeguards and protections. The device market prioritizes convenience and price over security. This legislation will use the federal government's purchasing power to establish some minimum security standards for IoT devices.”

“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years. As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government's networks. Agencies like the National Institute of Standards and Technology (NIST), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts. As co-chairs of the Senate Cybersecurity Caucus, Senator Warner and I remain committed to advancing our nation's cybersecurity defenses.”

Tommy Ross, Senior Policy Director, BSA | The Software Alliance, said: “BSA applauds Senators Warner and Gardner and Representatives Kelly and Hurd for their leadership in securing the IoT, and calls on Congress to act swiftly to advance this important legislation. As IoT devices increasingly bring greater productivity and quality of life to consumers and businesses across sectors, we must be proactive in addressing the unique security considerations they bring.”

Jeff Greene, Vice President of Global Government Affairs & Policy at Symantec, said: “Insecure and unsecured IoT devices are a risk we must address. It will only happen if the government and the private sector both step up. I'm glad that Senators Warner and Gardner and Representatives Kelly and Hurd are continuing to push this issue.

The bill has also been endorsed by the Identification Technology Association, Rapid7, CTIA, Tenable, Bruce Schneier at the Harvard Kennedy School, Jonathan Zittrain, Co-Founder of Harvard University's Berkman Klein Center for Internet & Society, Alan Davidson, Vice President of Global Policy, Trust, and Security at Mozilla, Cloudflare, and others.

Hurd has long been a champion of emerging technologies and practical policies that keep Americans safe. He has sponsored similar IoT legislation every year since 2017 to adopt cybersecurity standards for the internet-connected devices the federal government purchases, and drive the tech industry into building safer and better-protected products. As Chair of the IT Subcommittee for four years, his bipartisan IT policies helped the federal government save $5 billion in taxpayer dollars.

Source: Press Release
Date: March 12, 2019 
hurd.house.gov