A new bill that would establish federal guidelines for the security of IoT devices as well as policies for the coordinated disclosure of vulnerabilities in those devices has been introduced in both the House of Representatives and the Senate, setting the stage for what would be the first set of such standards for federal agencies and the vendors who sell them gear.
The bill includes a number of separate provisions, but the one that stands to have the biggest potential effect on IoT security is the establishment of a set of standards for security in connected devices, standards that will be developed by the National Institute of Standards and Technology. The draft legislation doesn’t set out too many specifics for what those security standards would be, but dictates they will include four separate areas: secure development, identity management, patching, and configuration management. Under the language in the bill, vendors selling IoT devices to federal agencies will have to meet the NIST standards for those areas.
The bill, known as the Internet of Things Cybersecurity Improvement Act, would also require the director of NIST to develop “recommendations for the Federal Government on the appropriate use and management by the Federal Government of Internet of Things devices owned or controlled by the Federal Government, including minimum information security requirements for managing cybersecurity risks associated with such devices.”
The weak security of many IoT devices has been a prime topic in both the security community and among legislators for several years, but there hasn’t been much real improvement. Many of the same problems that plagued early generations of IoT devices are still present in more recent versions, including default hardcoded credentials, weak software security practices, a lack of update mechanisms, and many others. The House and Senate bills attempt to address some of these problems through the proposed requirements for secure software development practices and patching, but the specific language in the NIST guidelines will be vital in actually determining whether the standards have any effect.
The UK last year published a set of guidelines on secure development practices for IoT device manufacturers that includes many of the same principles discussed in the IoT bills introduced this week. Manufacturers of IoT devices have been slow to respond to calls from researchers, consumers, and lawmakers to improve the security of their products for a number of reasons, mostly because there’s little if any economic incentive to do so. Connected light bulbs, running shoes, beds, and doorbells are selling just fine as is.
Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices."
But, the best incentive that the government has to get things moving in the right direction is its unmatched buying power. If these bills become law, the guidelines developed by NIST could become the standards used in acquisition programs, and there is no greater incentive to clean up a security mess than money.
“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure. Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices,” said Rep. Robin Kelly (D-Ill.), one of the sponsors of the House bill.
The second major part of the proposed legislation is the establishment of a coordinated vulnerability disclosure policy for federal agencies using IoT devices. The policy is supposed to be aligned with ISO 29147 and ISO 30111, two international standards that address vulnerability disclosure. The Senate version of the bill requires that the director of NIST “in consultation with such cybersecurity researchers and private-sector industry experts as the Director considers appropriate, publish guidance on policies and procedures for the reporting, coordinating, publishing, and receiving of information about—(1) a security vulnerability relating to a covered device used by the Federal Government; and (2) the resolution of such security vulnerability.”
Vulnerability disclosure in the IoT market has followed the same general path as it did in the early days of desktop software and web applications. Some vendors have reacted to vulnerability reports with hostility or legal threats, others have ignored them, and some have worked with researchers to remediate the problems. The responses have been all over the map, with no consistent set of guidelines for researchers and vendors to follow. The bills on Capitol Hill now would go a good distance toward addressing a large part of that problem. They also would require federal agencies to comply with a set of guidelines on reporting, coordinating, publishing, and receiving information from researchers about vulnerabilities in IoT devices.
The Senate bill is sponsored by Sen. Mark Warner (D-Va.) and several others, and the House bill is sponsored by Kelly and Rep. Will Hurd (R-Texas).