Lawmakers Look to Bolster Cybersecurity on Federal Smart Device Purchases

Lawmakers in both the Senate and the House are exploring ways to enhance cybersecurity standards for federal procurement regarding the “internet of things,” the vast network of wirelessly connected devices that includes products ranging from drones and smart lightbulbs to connected vehicles and even some types of pacemakers.

Sen. Mark Warner (D-Va.) introduced legislation on Aug. 1 — S. 1691, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 — that would require internet of things devices bought by the federal government to meet minimum security standards for purchase.

Companion House legislation drafted by Rep. Robin Kelly (D-Ill.), ranking member of the Oversight and Government Reform Subcommittee on Information Technology, looks to build on the Senate legislation and establish similar basic requirements, while also enhancing federal input into the process.

The cyber vulnerabilities of connected devices have already been exploited for malicious intent. A distributed denial of service attack was carried out in October 2016 against internet performance management company Dyn Inc., impeding internet access to certain websites across the United States. The attack was attributed to thousands of compromised internet of things devices infected with malware, according to The New York Times.

Kelly said the legislation seeks to prevent such attacks from occurring against the federal government.

“The intent is to add security to government’s webcams, smart TVs and other IoT devices by baking cybersecurity into the procurement process,” Kelly said in an Oct. 4 email about the draft legislation. “The best policies arise from cooperation between all parties: Republicans, Democrats, industry and advocates; but, when it comes to technology, policy needs are consistently evolving.”

An analysis conducted last year by the Center for Data Innovation found that the federal government’s use of internet of things devices was still relatively low, but that agencies were already utilizing connected devices as part of “smart building” initiatives to make building more energy efficient.

Both the Senate legislation and Kelly’s draft bill state the intention “to provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies.” These standards include requirements that connected devices are able receive security patches, do not include embedded passwords that can’t be changed and do not possess any known vulnerabilities.

Rep. Will Hurd, chairman of the House IT subcommittee, called the Senate bill “a starting point for a conversation about what needs to happen.” The subcommittee held a hearing last week to further explore the issue of cybersecurity and the internet of things.

But Hurd cautioned about the need to establish effective regulations and said he still had more questions than answers about a proposed framework.

“When I look at regulations around the internet of things, and it’s so broad, how can you potentially legislate outcomes?” said Hurd, a Texas Republican, in an interview before the Oct. 3 hearing. “And when you start legislating for specific types of things to happen, as soon as the bill gets passed in a space like this, it becomes obsolete. So how do you try to drive outcomes to ensure that we don’t make the mistake with the internet of things that we made with the internet, in not thinking about security at the beginning?”

Some industry experts who testified before the IT subcommittee last week expressed the need to strike a nuanced approach with a regulatory framework that was not too broad or restrictive.

Matthew Eggers, executive director for cybersecurity policy in the National Security and Emergency Preparedness Department at the U.S. Chamber of Commerce, told the subcommittee during the hearing that the effort to bring more secure devices into the government was sound, but cautioned there is “no silver bullet to cybersecurity.” Eggers pointed to the definition of internet of things devices in both the Senate bill and House discussion draft and called it overly broad.

Ray O’Farrell, chief technology officer and executive vice president at VMware Inc., said in an Oct. 3 interview that the growing emergence of network-connected devices requires the federal government and private sector companies to practice regular cyber hygiene efforts — including encryption, multi-factor authentication and patching — when it comes to these products.

“We think it’s important to make sure that this infrastructure can be managed and secured and orchestrated using similar cyber hygiene techniques as you would apply to the normal data center,” O’Farrell said. “Broadly speaking, we see this edge world emerging as being a somewhat logical extension of data center infrastructure and smart infrastructure.”