Congress tries to legislate IoT security
In an effort to protect the U.S. government from hackers, a group of senators has introduced a bill that would legislate specific security measures for all connected hardware purchased by government agencies. The bill is called the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. Its sponsors are Senator Mark Warner (D-VA), Senator Cory Gardner (R-CO), Senator Ron Wyden (D-WA), and Senator Steve Daines (R-MT). Warner and Gardner are co-chairs of the Senate Cybersecurity Caucus.
The proposed legislation targets the companies that make and sell devices that connect to the internet. The bill states that contractors must inform the government of any known security vulnerabilities involving their products and must guarantee that their products rely on “software or firmware components capable of accepting properly authenticated and trusted updates from the vendor.” Furthermore, the bill requires all devices purchased by the government to use “non-deprecated industry-standard protocols and technologies” for communication, interconnection and encryption. The bill also stipulates that the government cannot purchase devices that rely on hard-coded passwords or credentials for remote administration and updates.
IHS Markit analyst Lee Ratliff, who focuses on the IoT, said the senators were wise to keep the bill’s requirements simple, rather than trying to dive into a large number of technical specifications.
“Mandating technology in law is very tricky because tech changes relatively easily and rapidly, while law does not,” Ratiff said. “For the best chance of success, they have to keep it simple and at a high level. … IoT security can be legislated, it’s just a question of whether it will be effective and what kind of unintended consequences will come about as a result.”
According to Senator Warner, the bill would also require each executive agency to inventory all internet-connected devices in use by the agency. Going forward, the Department of Homeland Security’s national protection and programs directorate would be required to issue guidelines regarding “cybersecurity coordinated vulnerability disclosure policies” to be required by contractors providing connected devices to the U.S. government. In addition, the Office of Management and Budget would be asked to “develop alternative network-level security requirements for devices with limited data processing and software functionality.”
The bill states that agencies may petition to bypass the legislation in specific instances, “if an executive agency reasonably believes that procurement of an internet-connected device with limited data processing and software functionality … would be unfeasible or economically impractical.”
“This legislation would establish thorough, yet flexible, guidelines for federal government procurements of connected devices,” said Senator Warner. “My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
The policymakers who drafted the bill consulted security experts from Harvard and several other institutions that focus on cyber security. If enacted, the legislation could impact roadmaps and requirements for many IoT devices, since much of the hardware used by the government is also used in the private sector.
Artificial intelligence not addressed
One area not addressed in the bill is artificial intelligence. Academic researchers who study IoT security have expressed concerns that humans will be unable to recognize some of the hacks that could be designed to disrupt connected machines that rely on AI. This was addressed earlier this year in a white paper published by the University of Michigan and Stony Brook University.
“Attackers can craft inputs that look indistinguishable from benign inputs to humans, but can be interpreted in a completely different way by machines,” the researchers wrote. “For example, tampered images that are fed into a vision algorithm running on an autonomous vehicle can make the vehicle believe a stop sign was a yield sign, causing a possible crash at an intersection.”
Follow me on Twitter.