Congress Proposes Internet of Things Legislation

The 2016 Mirai botnet strike used the Internet of Things (“IoT”) to launch denial-of-service attacks against Twitter, PayPal, Netflix and several other technology-based entities. The IoT is a system of interrelated web-connected objects and devices that does not require human-to-human or human-to-computer interaction.

In the aftermath of Mirai, Congress is taking an important first step. A bipartisan bill, The Internet of Things Cybersecurity Act of 2017, was introduced by U.S. senators Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-OR), and Steve Daines (R-MT).  The bill provides the following security stipulations for IoT devices purchased by the U.S. government:

• Vendors of IoT devices purchased by the federal government must provide products that are patchable.
• Vendors will not use hard-coded passwords.
• Vendor products must not contain any known security vulnerabilities. 
• Cybersecurity researchers are exempt from Computer Fraud and Abuse Act and Digital Millennium Copyright Act liability when in engaged in good-faith security research.
• Each executive agency will inventory all IoT devices in use by the agency.

If enacted, The Internet of Things Cybersecurity Act of 2017 will be narrowly applied to government contractors; it is also expected that these common-sense guidelines will eventually make their way to consumer product manufacturers. Because the act’s requirements are both practical and not overly burdensome, leading technology vendors – such as Mozilla, Symantec and others – have applauded the legislation.

By 2020, the IoT sector is expected to top 20 billion devices worth more than $1 trillion. Government spending alone on IoT products is more than $9 billion annually.