A recent article by Brian Krebs caught my attention: New Bill Seeks Basic IoT Security Standards. The bill “to improve the cybersecurity of Internet-connected devices” was authored by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-OR) and Steve Daines (R-MT) on August 1, 2017. This is so recent that a search on August 3 for the bill on GovTrack returned only the most generic of messages saying this bill was in the “first stages of of the legislative process” so in the meantime, the full text of the bill can be found on Scribd (posted by Senator Warner).
Forget the Text, Give Me the Terminology Instead
What I found most interesting when I reviewed the text of the proposed bill wasn’t in the bill language itself, but instead in the preface text, “SEC. 2. DEFINITIONS.” Beyond just defining the term “director” and “executive agency” the preface takes the time — and more interestingly spends the time — to focus on key terminology for the rest of the bill. Readers will see definitions for:
- Fixed Or Hard-Coded Credential
- Internet-Connected Device
- Properly Authenticated Update
- Security Vulnerability
No Vulns and No Hard-Coded Creds
[Forgive the security lingo, but if legislators can speak vulnerabilities, two-factor auth, and hard-coded credentials, then it’s a big moment that should be acknowledged.]
Also of importance is the text contained in the proposed bill, which requires that the IoT devices be assessed to ensure they’re not susceptible to any known vulnerabilities at the time of contract proposal (but what about at deployment???), only accepts “properly authenticated and trusted” updates from vendors (wow, right?), and “uses only non-deprecated industry-standard protocols and technologies” for key functions such as communication and interconnection with other devices.
Bring on The Security Researchers
Of final note in this proposed bill is the language modifying the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act to exempt cybersecurity researchers “in good faith, engaged in researching the cybersecurity of an Internet-connected device of the class, model, or type provided by a contractor to a department or agency of the United States” provided they also acted in compliance with the disclosure guidelines to be issued (at a later date) by the National Protection and Programs Directorate.
A Leap Forward?
I expect lawmakers to understand the limits of what they know and don’t know, and also be able to seek out expertise and yes, in some cases, education, to ensure that the proposed legislation is sound.
Whether or not this bill becomes law, I have to say that I am pleased to see the level of understanding that would be (automatically) achieved by anyone who reads the bill’s text. For the rest of the legislators who haven’t yet read this bill, I look forward to seeing how their own level of understanding and expertise regarding IoT and cybersecurity takes a leap forward.
In the meantime, I congratulate senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), along with Ron Wyden (D-OR) and Steve Daines (R-MT) on their proposed bill.
Also available on LinkedIn