A bipartisan bill setting minimum security standards for Internet of Things devices connected to federal networks passed the House Monday. The bill now awaits a Senate floor vote before heading to the president’s desk.
The IoT Cybersecurity Improvement Act would require the National Institute of Standards and Technology to set best practices for device security. The Office of Management and Budget would then create guidance for agencies to meet or exceed those standards.
The bill would also require the Department of Homeland Security to publish guidance on coordinated vulnerability disclosures for contractors and vendors.
The lawmakers behind this effort – Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), along with Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) – have spent more than three years trying to get this bill over the finish line.
Kelly said Tuesday that the bill’s passage in the House marked a major step towards closing a “glaring gap in cybersecurity infrastructure.”
“IoT devices are more and more common and fulfill greater and greater functions in our government, especially in this largely digital work environment created by COVID-19,” Kelly said in a call with reporters. “By establishing some baseline standards for the security of these devices, we will make our country and the data of American citizens more secure.”
With more 10 billion IoT devices in use today, and more than 25 billion devices in the next five years, Warner said agencies should address the “lowest-hanging fruit” in terms of cyber threats.
“Before we increase our cyber surface vulnerability that exponentially, shouldn’t we make sure that the stuff that the federal government buys is at least patchable?” he said.
In March, Defense Intelligence Agency Director Lt. Gen. Robert Ashley told the Senate Armed Services Committee that the most important emerging cyber threats to national security will be from the exploitation of “our weakest technology components: mobile devices and the Internet of Things.”
IoT devices vary in sophistication, and higher-end devices have operating systems that agencies can update remotely, while lower-end sensors are harder to patch. Regardless of the device, Hurd said that agencies should have an awareness of the known IoT device vulnerabilities.
“It’s real basic – if you’re going to introduce a widget into the digital infrastructure of the federal government and it has a known vulnerability, you either have to patch it or have some way to address it,” Hurd said.
Most of the larger IoT vendors, Warner said, are “building the more sophisticated IoT devices,” and generally support the legislation.
“It’s not been a hard sell with those guys. The challenge has been a lot of these IOT-connected devices are extraordinarily cheap sensor devices … that’s where there’s been some of the pushback that some of the low-end vendors have not wanted to take the responsibility to actually remediate known vulnerabilities,” Warner said.
Warner said Congress worked with the Trump administration on multiple drafts of the bill, and that the White House is comfortable with passing the bill in its current form. The Senate Homeland Security and Governmental Affairs Committee passed the bill in June 2019.