Hurd Joins Colleagues to Improve Cybersecurity of “Internet-Of-Things” (IoT) Devices

I joined my colleagues to introduce bipartisan legislation to improve the cybersecurity of Internet-connected devices.

The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements to keep Americans’ personal data safe from hackers. The bill was introduced in the House by Rep. Robin Kelly (IL-02) and I, and in the Senate by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus.

The Internet of Things, the term used to describe the growing network of Internet-connected devices and sensors, is expected to include over 20 billion devices by 2020. While these devices and the data they collect and transmit present enormous benefits to consumers and industry, the relative insecurity of many devices presents enormous challenges. Sometimes shipped with factory-set, hardcoded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. IoT devices have been used by bad actors to launch devastating Distributed Denial of Service (DDoS) attacks against websites, web-hosting servers, and internet infrastructure providers.

The IoT Cybersecurity Improvement Act will address both this market failure and the supply chain risk to the federal government stemming from insecure IoT devices by establishing light-touch, minimum security requirements for procurements of connected devices by the government.

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would:

• Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
• Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
• Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
• Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
• Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.

Bill text is available here.

Internet of Things devices will improve and enhance nearly every aspect of our society, economy and our day-to-day lives. This is groundbreaking work and IoT devices must be built with security in mind, not as an afterthought. This bipartisan legislation will make Internet of Things devices more secure and help prevent future attacks on critical technology infrastructure.

“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure. Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices,” said Rep. Kelly. “It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”

“While I’m excited about their life-changing potential, I’m also concerned that many Internet-of-Things devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”

“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” Sen. Gardner said. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (NIST), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts. As co-chairs of the Senate Cybersecurity Caucus, Senator Warner and I remain committed to advancing our nation’s cybersecurity defenses.”

“BSA applauds Senators Warner and Gardner and Representatives Kelly and Hurd for their leadership in securing the IoT, and calls on Congress to act swiftly to advance this important legislation,” said Tommy Ross, Senior Policy Director, BSA | The Software Alliance. “As IoT devices increasingly bring greater productivity and quality of life to consumers and businesses across sectors, we must be proactive in addressing the unique security considerations they bring.”

“Insecure and unsecured IoT devices are a risk we must address, and it will only happen if the government and the private sector both step up. I'm glad that Senators Warner and Gardner and Representatives Kelly and Hurd are continuing to push this issue,” said Jeff Greene, Vice President of Global Government Affairs & Policy at Symantec.

The bill has also been endorsed by the Identification Technology Association, Rapid7, CTIA, Tenable, Bruce Schneier at the Harvard Kennedy School, Jonathan Zittrain, Co-Founder of Harvard University’s Berkman Klein Center for Internet & Society, Alan Davidson, Vice President of Global Policy, Trust, and Security at Mozilla, Cloudfare and others

I have long been a champion of emerging technologies and practical policies that keep Americans safe. I have sponsored similar IoT legislation every year since 2017 to adopt cybersecurity standards for the internet-connected devices the federal government purchases, and drive the tech industry into building safer and better-protected products. As Chair of the IT Subcommittee for four years, my bipartisan IT policies helped the federal government save $5 billion in taxpayer dollars.