Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government’s purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely-perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyber attacks in 2016 that were fueled for the most part by poorly-secured “Internet of Things” (IoT) devices.
The IoT Cybersecurity Improvement Act of 2017 seeks to use the government’s buying power to signal the basic level of security that IoT devices sold to Uncle Sam will need to have. For example, the bill would require vendors of Internet-connected devices purchased by the federal government make sure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold.
The bill, introduced by Sens. Steve Daines (R-Mont.), Cory Gardner (R-Colo.), Mark Warner (D-Va.) and Ron Wyden (D-Ore.), directs the White House Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality. In addition, it requires each executive agency to inventory all Internet-connected devices in use by the agency.
The bill’s provisions would seem to apply to virtually any device that has an Internet connection and can transmit data. Under the proposal, an IoT device has a fairly broad definition, being described as “a physical object that is capable of connecting to and is in regular connection with the Internet;” and one that “has computer processing capabilities that can collect, send or receive data.”
According to the bill’s core sponsors, the measure already has the support of several key legislative technology groups, including the Center for Democracy & Technology (CDT), Mozilla, and the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society.
Those advocates were no doubt involved in shaping other aspects of this legislation, including one that exempts cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act (CFAA), a dated anti-cybercrime law that many critics say has been abused by government prosecutors and companies to intimidate and silence security researchers.
Perhaps the most infamous example of prosecutorial overreach under the CFAA comes in Aaron Swartz, a Harvard research fellow who committed suicide after being hounded by multiple CFAA fraud charges by state and federal prosecutors for downloading a large number of academic journals.
Specifically, the bill would “exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines,” according to a statement released by Sen. Warner (link added).
The measure also directs the Department of Homeland Security to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. government.
Last fall, Sens. Warner and others pinged federal regulators at the U.S. Federal Trade Commission (FTC) and the U.S. Federal Communications Commission (FCC) to see if something more could be done about the proliferating threat from poorly-secured IoT devices.
At the time, the world had just witnessed two of the largest cyberattacks the Internet had ever seen (including one against this Web site). Those attacks were launched with the help of IoT devices — mostly cheap security cameras and Internet routers — that were hacked thanks largely to user accounts which could not be removed and which were configured to be remotely accessible over the Internet.
A full text of the Senate proposal is available here.
Update, 3:49 p.m. ET: Corrected abbreviation for Sen. Wyden’s home state.
Great article as always, Brian. I believe Ron Wyden hails from OR.
Keep the good work up, sir. Your content is always bleeding edge, which is a nice change from much of the chatter.
Codifying technology standards into law almost never ends well. These will be on the books for a decade and everyone will meet the bare minimum that they must and claim victory.
Sounds like you don’t like regulation as a matter of principle.
What’s the alternative, stay with the status quo even as the number of UOY devices increases?
Regulation is the usual response when industry & commerce fail to police themselves in the broader interests of society.
Having basic regulations as well as appropriately harsh civil & criminal liability for companies and individuals is the only way to make sure that most of a problem is dealt with.
I’m glad this legislation was introduced and hope it is strong and far reaching enough.
Who watches the watchers(government)?
Voters should be for one.
have you seen what passes for voters these days?
for that matter, have you seen what passes for elected representatives?
they will pass something that enables their lobbyists at the expense of citizens and small business.
everything coming out of our corporate congress is one kind of giant gyp game or con job…
As consumers are voting with their dollars. If industry will not regulate itself then we as consumers must, just as we as voters must regulate the state. Let’s not give in to the idea of the nanny state.
My concern is that if the government codifies a standard, it will be a static document while technology relentlessly marches forward. In 3 years tops the standard will be hopelessly obsolete, but Congress won’t get around to updating it for another 15 years. I’m for a standard, but it has to be flexible enough to keep up with the times.
There is a difference between law and regulations. Codifying technology in law is a bad idea; regulating it is commonly done.
“Codifying technology standards into law almost never ends well. These will be on the books for a decade and everyone will meet the bare minimum that they must and claim victory.”
Yeah, better to find some way to make them financially liable making sure that the price of non-compliance is higher than the price of compliance. (I still remember one case involving the EPA and a polluting smokestack where it would cost the company more to fix the smokestack than to pay the continual fines. So of course they didn’t fix it….)
This covers any Internet connected device. Your desktop is an Internet connected device under the definition in Section 2. Consider the implications of that.
agree 100% – they will not think this through ahead of time.
Tech standards that are ubiquitous are preferable. 110V AC comes to mind.
110V AC is standard in North America, at a 60 Hz cycle.
Other parts of the world use a 230V AC (at 50 Hz).
At least one nation, Japan, has 100 V AC, but with one part of the country on a 50 Hz network, and another part on a 60 Hz network…
This kind of standard arose from a combination of industry, government, and consumer action. Don’t know if it compares well to the standard attempted in this legislation.
Don’t count on this happening at time soon, Congress pretty much nothing now and days .
The bill is difficult to scan for a date, but I’m guessing that the numbers 202x will be the effective date for implementation.
Given that we are in the anti-regulation Trump Administration, I’m mildly surprised the Republicans are on board with this.
I would guess this is all part of necessity after the last eight years of government being a regular target of successful hacks with no consequences, much less additional security efforts put in place to remedy the problem. When you couple that with a high level rogue using insecure devices and disregarding Federal law, it is time for a complete overhaul. Hopefully, this is just the beginning…
UL and CSA, and some insurance-driven quasi-regulatory agencies, coupled with state and local building codes, make a more reasonable model to gain control of this uncontrolled international hack-a-thon. Likelihood of success via the federal model is slim to none, IMHO and experience.
Can you provide links to articles (preferably in the technical press) to back up your claims? I’d rather be convinced by evidence than sure but ignorant.
While I certainly agree that this is necessary, I don’t believe it can happen anytime soon.
There are far too many hands in the cookie jar. Also, if this does happen, be ready to pay the price. Everything IOT will be more expensive to pay for the added security and functionality.
It will eventually come down to us the consumers in one way or another.
If the IOT device gets more expensive because it has reasonable security implemented, then the IOT device should never have been released at the lower price point in the first place. Not having adequate security is not an option.
You want to know what would really jack up what consumers pay? Not doing anything to implement reasonable security for IOT devices. Then everyone, everywhere will have to implement protection against the DDoS attacks they launch again and again and again, which will drive up the cost of everything, not just IOT devices.
However, because this regulation makes sense, and is a reasonable and simple thing for Congress to do, means it will never get done. The only thing more dysfunctional than the executive branch is the legislative branch.
I plan to contact my representatives in Congress to support this bill. (I understand that the best way to do this is to phone the district office and give a straightforward, brisk, informed opinion to a staffer.)
I’m reading these comments to become more informed. Congress might not act, but this is a national security issue, and I think there is bipartisan support for (reasonable) national security issues.
I really hope that this will also force phone makers and phone companies to provide regular and timely [Android] OS updates.
As it is now, Android is a very fragmented OS where some phone manufacturers don’t even bother to publish OS updates at all.
Other manufacturers launch flashy models with promises of updates and then months later, after fools^H^H customers buy them they announce they will never update those phones anymore.
Moto/Lenovo did this crap with Moto E 2015 LTE – they launched it with fanfare at Mobile World Congress in Barcelona with promises of regular updates but then they quietly published a blog post 7 months later listing models that will be updated and where they practically decreed this model won’t ever be updated anymore even if they sold them with a 2-year warranty. Their point of view was that they sold a static BRICK not an updateable phone.
@Krebsonsecurity… please read the bill again.
It still leaves the CFAA “crimes” as punishments unless the device is “provided by a contractor to a department or agency of the United States”
That means that independent research is still very much a crime and only those working for US agencies can be considered for the “good faith” exception.
That’s like leaving the fox (NSA/CIA) to guard the hen house and then considering they acted in “good faith” after they eat the hens.
Yes! Too many people think the alphabet agencies are looking out for us; NOT!
Agreed: The exceptions to the CFAA and DMCA are expressly limited to “in good faith, engaged in researching the cybersecurity of an Internet-connected device of the class, model or type provided by a contractor to a department or agency of the United States” and additional requirements.
This means that researchers who cannot prove that they are working on the EXACT SAME DEVICE as used by the US government can expect this Act will provide NO protection from abuse under CFAA or DMCA in their regular activities.
The limitations of liability for security researchers should extend to all their research activities and expressly legalizing their work in all areas, not just those where government directly benefits.
Another thought: A devious vendor could produce a single product, with different SKUs for the government the “mass market” versions, then make the government SKU available ONLY to government purchase. If a researcher found a vulnerability in the “mass market” version, the vendor could prosecute under DMCA or CFAA to abuse the researcher as it’s not the “same” device according to the SKU. Only if the government directly provides a device to a researcher for testing would the researcher be protected.
So if the vendors game the system: Independent security researchers won’t be safe from abuse, so for this bill to have any security benefit to the government, the government will have to hire them directly and provide them with the hardware if they want to reap the benefits of their research with these devices.
This is a very important point. When I contact my congressional representatives, I will make it clear that the protections need to extend to private parties (not sure of the best language for this).
There are equal demands at European level, too. The good Thinge about this: this standard already exists. Have a look at http://www.iot-tests.org !
HA ! Does this include any sort of air-gapping devices used by the agencies?
Does this look like an auto-exemption for security researchers? I think everyone should go through a vetted process.
Well right now me and others I know have no interest in buying IoT devices, even though some of them seem pretty cool. There may be an initial increase in cost, but more customers may help bring down the prices.
I don’t get the cost argument. Would you buy a car that didn’t have brakes or seat belts because it is cheaper?
What’s next they force people to have antivirus/firewall setups on their computers?
You are so correct. you would not buy on this basis. The issue is people are happy to sell on this basis. The supply chain and who takes responsibility to build in security or solve the issue is the real problem. Hopefully this bill and companies like Device Authority go a long way to solving this.
According to the definitions in this bill a desktop is an Internet connected device. I can easily see a regulation requiring vendors to sell desktops with fully functional AV software. How they will roll in the subscription costs will be interesting. I can also see a regulation making it illegal to remove the factory installed AV software from your Internet connected device.
On the plus side, trusted computing requires an endorsement key that is stored on the chip at time of manufacture and cannot be changed. This bill will shoot that in the head.
If nothing else this elevates the conversation. It also shows some folks on the Hill attempting to master, or at least become more conversant in, concepts they previously found too technical to tackle. Sen Angus King is another one who has been doing the hard work to wrap his head around cyber security issues, including some related to critical infrastructure and grid.
We shouldn’t be connecting devices that cannot be at least minimally secured, and most folks at all levels of awareness and sophistication know this. Nevertheless we will connect insecure devices en masse … we’re doing it right now. See: Shodan dot io.
Maybe this bill has a chance to push back on that trend a bit.
Very much needed given known incidents and the increased dependence on IoT.
What about ht existing NIST CyberSecurity for IoT program? Isn’t this already working to define standards and norms?
“NIST’s Cybersecurity for the Internet of Things (IoT) program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies, and academia, the program aims to cultivate trust and promote U.S. leadership in IoT.”
And NIST Initiatives in IoT:
For everyone above who are complaining about this bill, I suggest you go read the full bill. It is very non-proscriptive. When it does mention specifics, it usually refers to them as an example. Every organization should have some basic standard on the security requirements for connecting to the organizations network. This bill lays out the requirements for those rules for equipment connected to government networks. It also allows existing sets of rules that do the same thing to be used instead. It is unfortunate that these rules even have to be mentioned, they are so basic to network security. But cheap IOT devices force this issue.
The one part I do question is the section on known vulnerabilities. If the software has unpatched known vulnerabilities, you have to document the mitigation for it (or isolate the network or similar).
There are a bunch of unpatched, known vulnerabilities. It will be difficult to try to document mitigations for all of them… especially if the vulnerabilities are Windows, Android , or *nix.
Thanks and i am very grateful to get a big advantages,here is a offer to take knowledge Security Standards course and certification chance.i have a dream i want to join some cyber security team in our country that’s why i am looking for a online course,i want to learn Offensive Security
Mobile App Security, Network Security, Web App Security, Exploit Development,etc. Please help to to give an advice what will be the best for me.
As soon as consumers (including Gov’t) begin requesting products certified to UL’s new 2900 series standards, the sooner manufacturers will begin to submit their products for certification. Without consumer demand for cyber assured products, the mfrs have no incentive to fix their nearly-non-existent cybersecurity manufacturing processes for software and hardware. Example: No one buys a non-UL certified Fire system for this very reason.., no mfr makes one anymore.
Amazing content, thanks for posting, I think we need information like this
The “S” in “IoT” stands for security. /s