The Internet of Things might be getting more secure — at least lawmakers want that to be the case.
A group of U.S. senators on Tuesday introduced a bill that would require vendors who supply the federal government with IoT devices “to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements,” according to a statement.
The legislation, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, direct the Office of Management and Budget to develop alternative network-level security requirements for devices with limited data processing and software functionality, the statement notes. That way, Reuters reports, agencies could ask OMB "for permission to buy some non-compliant devices if other controls, such as network segmentation, are in place."
Additionally, it would direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines for each agency with respect to any connected device in use by the government, and include policies and procedures for conducting research on the cybersecurity of an IoT device. Sens. Mark Warner and Cory Gardner, co-chairs of the Senate Cybersecurity Caucus, introduced the bill along with Sens. Ron Wyden and Steve Daines.
The bill comes as the Government Accountability Office found that the Defense Department’s policies on IoT devices aren’t robust enough to guard against cybersecurity threats.
The report notes that although DOD has identified the many IoT-related security risks and developed policies and threat scenarios, current rules do not adequately address these challenges. The report recommends updates in certain areas to keep DOD information secure from threats posed by IoT devices.