A group of U.S. senators have introduced a bill called the Internet of Things Cybersecurity Improvement Act, which aims to beef up IoT security within the federal government.
The new bill, introduced by Senator Mark Warner and Cory Gardner, will require technology suppliers selling devices to the U.S. federal government to obtain a level of industry practices on their products. For example, small and screenless connected devices sold to the government must be able to be patched with security updates, and hard-coding passwords into the firmware must be prohibited.
The number of IoT devices is expected to see a strong growth to some billions in upcoming years. As the federal government could own millions of them, there are legitimate security concerns. The market is “not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests,” said cryptographer and security expert Bruce Schneier, who was consulted on the bill.
An Internet outage initiated by hackers using IoT devices last year has raised concerns. The denial-of-service attack caused Twitter and Spotify websites to break down, and cybersecurity experts are worried about future threats originating from IoT devices.
For instance, hackers can easily exploit devices using default usernames or passwords with a malicious software called Mirai. They can then turn security cameras and other devices into a fierce botnet and cause widespread Internet outage.
The U.S. federal government has already implemented several IoT devices, including sensors to track energy usage or motions, wearables used in the military and security cameras in official buildings.
While the bill only applies to tech companies and contractors that try to sell devices to the U.S. government, Senator Warner hopes it will inspire similar security improvements on IoT devices which companies sell to the general public.