secure Internet of things devicesIt’s likely no surprise to anyone who has used the web that the Internet is, on some level, insecure. This problem has become more pronounced as the number of computers and devices connected to the Internet has increased. While hackers and other bad actors play a prominent role in the shaping of the present state of the Internet, poorly-configured devices currently connected to the Internet are also responsible for the spread of malware and various threats to privacy. This means that while Internet of things devices are adding more convenience to our lives, if the devices themselves are not secure, they may also be putting our information and identities at risk. A newly proposed bill, called the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, aims to solve this exact problem. The bill will set standards that developers must implement into the hardware and firmware of IoT devices purchased for government use. Below we go into detail about what is known about the proposed bill, what some of its implications might be and how it will impact you.

What exactly is the IoT Cybersecurity Improvement Act?

The bill, which was proposed by a bipartisan group of lawmakers, is a direct response to the weaponization of IoT systems seen in last year’s Mirai botnet attack, which infected smart devices and took down portions of the Internet.

Overall, the bill:

  • Requires companies to maintain an obligation to inhibit the release of products with known vulnerabilities or inherent weaknesses like unchangeable, hard coded passwords.
  • Requires companies to disclose any new vulnerabilities whenever discovered by security researchers or through a vendor’s own discovery process.
  • Requires companies to install components in devices which can be or are updated regularly.

In addition, the bill defines entities like the Department of Homeland Security and Office of Management and Budget as the ones who will be shaping the types of requirements and guidelines that will affect the implementation of the policy. The bill currently has support from a number of tech groups, including the Center for Democracy & Technology, Mozilla, CloudFlare and Symantec.

It’s important to note that the bill in its current form targets the devices that government contractors provide to governmental agencies, rather than any and all devices geared toward consumers. While this might seem irrelevant to the average Internet user, the idea is that the federal government, which is one of the largest consumers for many tech companies, can increase the demand for secure devices that meet certain qualifications. If the government will only do business with companies that provide secure products, many companies will likely begin investing heavily in producing products that meet the demands of this bill. Furthermore, this bill could be modified down the line, or a second complementary bill could be created to further cement IoT standards for consumer products.

What effect will this bill have on cybersecurity?

This bill is being seen by some as a very important first step in implementing cybersecurity standards for IoT devices in the tech industry. There currently exists no uniform standard to which devices conform, which is why some devices might have hard-coded and unchangeable passwords, for example. Unfortunately, when it comes to cybersecurity, even a few weak devices can compromise a network. As such, providing rules and an incentive to abide by those rules might be the push needed to move IoT cybersecurity in the right direction.

What’s the likelihood of this bill passing?

It’s much too early to say what the bill’s odds of survival are, especially in this current political environment. That said, part of the reason that the scope is limited to devices and vendors providing services to the government is so these rules can be codified with little pushback; were the bill to tackle broader IoT regulations, a lot more parties would get involved.

What should I do for now?

Keeping abreast of the bill’s progress is sufficient for now, but if you are purchasing IoT devices or have some already, taking a look at a few of the guidelines mentioned in the bill might be helpful. While you can’t regulate what companies sell, you can control what you buy and decide to use. Doing your homework to make sure you avoid devices with hard-coded passwords or those that don’t provide firmware updates (both of which the bill calls for federal government business partners to eliminate), for example, can help you protect your devices, information and privacy.

For more information about emerging cybersecurity developments, keep reading our technology blog.