Congress introduces bill to improve 'internet of things' security

The Internet of Things Cybersecurity Improvement Act wants to make sure the federal government isn't buying devices that can be easily hacked.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

The legislation would set minimum standards of security for connected devices the federal government uses. 

James Martin/CNET

Connected devices are notorious for their shoddy security and Congress is hoping to fix that.

Members of the US Senate and House of Representatives introduced the Internet of Things Cybersecurity Improvement Act on Monday, hoping to bring legislative action to the emerging technology.

Connected devices are expected to boom to 20.4 billion units by 2020, but they don't all have the same levels of security. Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed.

At a Senate hearing last year, Lt. General Robert Ashley, director of the Defense Intelligence Agency, told lawmakers that insecure IoT devices are one of the "most important emerging cyberthreats" to US national security.

There's no national standard for IoT security and it's up to each company to decide how secure they want to make their connected devices. 

Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses.

"While I'm excited about their life-changing potential, I'm also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security," Sen. Mark Warner, a Democrat from Virginia, said in a statement.

The legislation wouldn't have security standards for IoT companies across the board -- just ones that want to sell to the US government.

The hope is that by improving security standards for the federal government, one of the largest customers available, standards for the entire IoT market would improve along with it.

The bill is not like California's SB 327, the country's first IoT security law, which passed last September. California's law requires specific security measures that device makers have to adhere to, like getting rid of default passwords and requiring users to generate their own passwords before allowing device access.

If passed, the federal IoT security bill would require recommendations from the National Institute of Standards and Technology on security standards the federal government should follow. 

NIST would also review that policy every five years, according to the bill.

All IoT vendors that sell to the US government would also have to have a vulnerability disclosure policy so that government officials can learn when the devices they're using are open to cyberattacks.

Four senators first proposed this bill in August 2017 and it's being introduced for a vote in both the Senate and the House on Monday.

Sens. Warner, Cory Gardner, Maggie Hassan and Steve Daines introduced the bill in the Senate while Rep. Robin Kelly and Will Hurd introduced the legislation in the House.

"As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks," Kelly, a Democrat from Illinois, said in a statement.

You can read the introduced legislation here: