A new bill, introduced by members of the US senate, would require stricter government oversight of the the security and manageability of Internet of Things (IoT) devices used by the government. The bill, brought by a bipartisan group of senators, aims to address some of the glaring security vulnerabilities present in many of these connected devices.
According to the bill, vendors supplying IoT products to the government must provide a written certification that their devices meet the following criteria:
- Must not contain any known vulnerabilities or defects in the National Vulnerability Database, or any other database tracked by the government.
- Must have software that is able to be updated or patched.
- Must use non-deprecated, industry standard protocols for communication, encryption, and interconnection.
- Must not have any fixed or hard-coded credentials.
SEE: Hands on, Interactive Penetration Testing & Ethical Hacking (TechRepublic Academy)
The bill itself was sponsored by four senators–Democrats Mark Warner and Ron Wyden, along with Republicans Cory Gardner and Steve Daines. The bill’s official purpose is stated as “To provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes.”
While the regulations would be strict, they’re not hard and fast. Users can apply for a waiver to purchase devices that aren’t compliant with the rules, as long as other precautions are in place, the bill states.
The bill also has implications for certain white hat hackers as well, noting that security researchers will not be held liable if they are looking for flaws “in good faith.” The hope is that the encouragement of this work would help with patching previously unknown vulnerabilities.
Research firm Gartner predicted that some 20 billion IoT devices will be in use by the year 2020, but massive security threats remain. In late 2016, it was discovered that the Dyn DDoS attack–which took down many well-known web properties–was powered by a botnet called Mirai that targeted IoT devices. Botnets like Mirari and a host of other threats are facing IoT deployments, especially those in the enterprise, every day, and proper security standards will be critical to the future of the connected workplace.
For the full text of the proposed bill, see below:
The 3 big takeaways for TechRepublic readers
- A newly-proposed bill by US senators would require that government-used IoT devices conform to certain standards for security and patchability.
- Security researchers would be given more freedom in “good faith” to explore IoT devices for vulnerabilities through white hat hacking and other means.
- The regulations aren’t hard and fast, as users can apply for a waiver if other security protocols are in place.