Hurd, Kelly Bill to Improve Cybersecurity of IoT Devices Gains Momentum

Yesterday, the House Committee on Oversight and Reform advanced bipartisan legislation by U.S. Representative Robin Kelly (IL-02) and I to improve the security of Internet of Things devices and help prevent future attacks on critical government information technology infrastructure.

Every single minute of every single day, hackers are trying to steal Americans’ information. From credit card numbers, to social security numbers, our personal information is targeted by bad actors around the globe. Internet of Things devices will improve and enhance nearly every aspect of our society, economy and everyday lives – and are growing rapidly. We must act now to ensure these devices are built with security in mind, not as an afterthought. I am excited to see this important, bipartisan cybersecurity bill move forward in the legislative process and look forward to seeing it on the House floor.

“As technology changes and revolutionizes the delivery of services, the government is purchasing and using more and more Internet-connected devices. We have an obligation to prevent these devices from becoming a backdoor for hackers and tools for cybercriminals,” said Rep. Kelly. “This bipartisan measure, painstakingly crafted over nearly two years, is a major step toward improving our nation’s cybersecurity. I want to thank my colleagues, especially Senators Warner and Gardner and Congressman Hurd, for working with me on crafting the best possible legislation to solve close this dangerous cyber vulnerability.”

“We live in a world where we’re becoming increasingly dependent on connected technology. In fact, millions of everyday devices – such as cars and refrigerators – are now connected to the internet. Frankly, it’s alarming that we still lack basic security standards for these devices, particularly for government-owned connected technology. Right now, our nation faces a myriad of cyber threats and today’s markup of this bipartisan bill takes an important step in improving our nation’s cybersecurity posture,” said Sen. Mark Warner.

“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” said Sen. Cory Gardner (R-CO). “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (NIST), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts. I’m pleased to see the House advance legislation that Sen. Warner and I introduced in the Senate and that Reps. Kelly and Hurd have led in the House. I look forward to further action here in the Senate on this important bill.” 

“As the capability of technology grows, the government has the responsibility to step up and modernize internet security systems to keep American families and businesses safe from cyber-criminals. The Internet of Things Cybersecurity Improvement Act will better secure internet technology and close loopholes exploited by online hackers,” said Rep. Mark Meadows (NC-11).

The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements to keep Americans’ personal data and government networks safe from hackers. The bill was introduced in the House in March by Rep. Robin Kelly (IL-02) and I and in the Senate by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus.

The Internet of Things, the term used to describe the growing network of Internet-connected devices and sensors, is expected to include over 20 billion devices by 2020. While these devices and the data they collect and transmit present enormous benefits to consumers and industry, the relative insecurity of many devices presents enormous challenges. Sometimes shipped with factory-set, hardcoded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. IoT devices have been used by bad actors to launch devastating Distributed Denial of Service (DDoS) attacks against websites, web-hosting servers, and internet infrastructure providers.

The IoT Cybersecurity Improvement Act will address both this market failure and the supply chain risk to the federal government stemming from insecure IoT devices by establishing light-touch, minimum security requirements for procurements of connected devices by the government.

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would:

• Require the National Institute of Standards and Technology (NIST) to publish a report and issue guidelines addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
• Direct the Office of Management and Budget (OMB) to promulgate security standards for IoT devices to the agencies that are consistent with the NIST’s work, and charge OMB with reviewing these policies at least every five years.
• Require any Internet-connected devices purchased by the federal government to comply with those standards.
• Direct NIST to work with cybersecurity researchers and industry experts to publish guidelines on coordinated vulnerability disclosure to ensure that vulnerabilities related to devices are addressed by the agencies.
• Direct OMB to promulgate standards for coordinated vulnerability disclosure related to agency devices based on NIST guidelines and require contractors and vendors providing IoT devices to the U.S. government to follow these standards.

I have long been a champion of emerging technologies and practical policies that keep Americans safe. As Chair of the IT Subcommittee for four years, his bipartisan IT policies helped the federal government save $5 billion in taxpayer dollars.