On August 1, 2017, the Senate introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, which would impose specific cybersecurity requirements on providers of IoT devices doing business with the U.S. Government and provide liability protections for security researchers who disclose vulnerabilities affecting these devices.
The bill would require companies to provide Internet-connected devices to the federal government to determine whether they are patchable, and whether they meet other cybersecurity requirements. It would also prohibit companies from selling products with unchangeable passwords, or that possess known security vulnerabilities.
The bill aims at influencing the security practices of IoT device manufacturers indirectly through the federal procurement market rather than by directly imposing new legal obligations. There are no enforcement mechanisms for vendors aside from the threat of disqualification from federal contracting opportunities. Because these requirements are limited specifically to contractors participating in the federal procurement market, consumer devices would be exempt from the requirements except where vendors are selling these devices to the U.S. Government as well.
The bill also contains liability protections for security researchers who identify in good faith and disclose vulnerabilities in Internet-connected devices. The legislation intends to shield these researchers from liability under the Computer Fraud and Abuse Act as well as the Digital Millennium Copyright Act, so long as they follow disclosure guidelines to be developed by the U.S. Department of Homeland Security.
The Federal Government has been actively seeking to address vulnerabilities in computing devices it employs. A recent report from the Government Accountability Office (GAO) has revealed security gaps in the Department of Defense (DOD) policies on IoT devices. The agency said while the DoD has started to look at the security risks of such electronic devices it needed to do more to close policy gaps to reduce potential security risks. GAO recommends that DOD (1) conduct operations security surveys that could address IoT security risks or address operations security risks posed by IoT devices through other DOD risk assessments; and (2) review and assess its security policies and guidance affecting IoT devices and identify areas where new DOD policies may be needed or where guidance should be updated.