The Internet of Things poses a hydra-headed security threat. On the one hand, there’s a plethora of applications, devices, communication protocols, software and hardware. And on the other, there’s the variability in security practices across IoT vendors, some of which don’t require end users to follow basic security measures.
Recent legislation proposed by Senators Mark Warner (R-Va.) and Cory Gardner (D-Colo.), known as the Internet of Things Cybersecurity Improvement Act of 2017, aims to address these challenges by establishing baseline IoT security standards for IoT technology sold to the federal government. The proposal mandates that IoT vendors serving the government offer products that are patchable and use standard protocols while stipulating that they don’t use hardcoded passwords or ship with known security vulnerabilities. Furthermore, it asks vendors to offer long-term patching and security support for the devices. Finally, the legislation would force government agencies to keep an inventory of IoT devices.
While the proposed law has faced a mixed reaction in the security community, most experts view the legislation as a step in the right direction. For instance, Bruce Schneier, fellow at Harvard Kennedy School of Government, explained in a statement that he applauds “Senator Warner and his co-sponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government.” Similarly, Bob Noel, director of marketing and strategic partnerships at Plixer International, said: “I think there are some fundamental elements of this legislation that are fantastic. It is raising awareness, and it is creating some degree of standards for vendors who today aren’t accountable even for basic security missteps.”