And they’ll introduce a bill on Tuesday, they told Recode, to try to fix it.
When hackers took aim at the internet’s backbone last year, impeding access to websites like Twitter and Spotify, they did so by weaponizing the Internet of Things — a catch-all category of web-connected devices that includes fitness trackers and smart thermostats.
The resulting denial-of-service attack was limited and short-lived, in the end, but cybersecurity fears about IoT remain prevalent — and a group of lawmakers in Congress is now getting to work to ensure the U.S. government raises its own digital defenses in response.
That’s the aim of a new bill out today by Sen. Mark Warner, a Democrat in Virginia, and Sen. Cory Gardner, a Republican from Colorado. Their measure — called the Internet of Things Cybersecurity Improvement Act of 2017 — is an attempt to force companies that sell wearables, sensors and other web-connected tools to federal agencies to adhere to some new security standards.
For example, lawmakers’ new proposal would put into law a requirement that vendors ensure the small, often screenless devices sold to the U.S. government can be patched with security updates. (It sounds like a given, but it’s not.) It also prohibits those tech companies from hard-coding passwords into the firmware of the tools they offer the feds.
The passwords, generally kept hidden from users, exist to help manufacturers access the guts of those tools, but hackers have easily exploited them. Using malicious software called Mirai, attackers previously have managed to turn webcams and other devices into a formidable botnet — the likes of which caused the widespread October outage.
With cybersecurity, Warner told Recode, “You’ve got to constantly be upgrading your game. And what we’re saying with Internet of Things devices is, if you’ve got hard-coded passwords or they’re not able to be patched, because they’re cheaper or smaller devices, that can’t be standard protocol.”
“If we turn around and there are 20 billion [IoT] devices in a couple years, and the federal has ‘x’ million of these devices, and they all have these characteristics,” he continued, “then, you know, I think we’re going to make a big mistake.”
On the consumer side, at least, the Internet of Things is a fast-expanding, if nebulous, market category. An estimate by IDC issued in June found that IoT spending around the world could reach as high as $1.4 trillion by 2021.
Much as consumers are coming to embrace those tools, the U.S. government is eyeing them as well. The firm Govini, for example, found federal agencies have spent about $4 billion on “sensors and data collectors” between the 2011 and 2015 fiscal years.
There are sensors now in federal buildings to track energy use, from simple motion sensors turning off lights to tools that raise or lower blinds depending on the time of day to reduce electricity bills, an analysis by the Information Technology Industry Foundation, a tech-backed think tank, found last year.
Meanwhile, the Department of Agriculture has relied heavily on soil sensors to gather data about the nation’s farmlands, according to ITIF. And the Department of Defense is one of the biggest buyers and researchers of web-connected portable devices: The Govini report pointed to the Army, for example, which has explored new wearables that might help service members on dangerous foreign battlefields.
For now, Warner admitted to Recode, there’s actually no full, comprehensive accounting of the IoT devices that the U.S. government owns or operates. The Democratic lawmaker said that is all the more reason for Congress to adopt new cybersecurity rules of the road, fearing that some federal agencies are better than others at safeguarding their devices from hackers.
With Gardner, their bill clears the way for researchers to investigate the cybersecurity of wearables and other small internet-connected tools. The proposal tasks the feds to put in place guidelines that would allow experts to test the digital defenses of IoT devices, then report them to manufacturers — without fear of liability under two federal laws that generally outlaw such experimentation.
On its surface, the bill applies only to tech companies and contractors that are trying to sell their tools to the U.S. government. But Warner hopes that the sheer “purchasing power” of the federal bureaucracy — which could spend as much as $95 billion on tech next year — might spur similar security improvements in similar IoT devices that companies sell to consumers.
Warner, previously, has warned about major security risks in internet-connected toys, another part of the IoT universe. Still others in government have raised cybersecurity fears about the Internet of Things: Terrell McSweeny, a Democratic commissioner at the Federal Trade Commission, for years has warned about threats to smart homes and other, similar tools.Discover More