A new federal bill would regulate security for Internet of Things (IoT) devices by requiring government vendors to conform to standards and make sure that products can have security problems patched.
Sponsored by Sens. Cory Gardner (R-CO), Steven Daines (R-MT), Mark Warner (D-VA) and Ron Wyden (D-OR), the legislation would prohibit the use of hard-coded passwords and require that products be free from any known security violations.
The Internet of Things Cybersecurity Improvement Act 2017 would also establish an exemption from liability for cybersecurity researchers “engaging in good faith research” under the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act.
Importantly, the bill is limited to devices purchased by the U.S. government, although the creation of a security standard would likely be applied to consumer products as well and possibly provide the basis for consumer class actions.
“While I’m tremendously excited about the innovation and productivity that Internet of Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” Sen. Warner said in a statement. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
Why it matters: Legislators, regulators and consumer advocates have been expressing concern about IoT security for years, in regard to products ranging from connected children’s toys to smart TVs. Sen. Warner in particular has been the frequent author of letters to the Federal Trade Commission about IoT security, typically about smart toys.