CTIA is one of the backers of bipartisan legislation that was introduced in both the House and Senate today to ensure that IoT devices purchased by the U.S. government meet minimum security requirements.
The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 is being introduced in the Senate by U.S. Senators Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.), co-chairs of the Senate Cybersecurity Caucus, along with Senators Maggie Hassan (D-N.H.) and Steve Daines (R-Mont.). Representatives Robin Kelly (D-Ill.) and Will Hurd (R-Texas) are introducing companion legislation in the House of Representatives.
Just last week, CTIA announced that its IoT Cybersecurity Certification program had certified its first device, the Harman Spark, which is being offered by AT&T. CTIA said its IoT Cybersecurity Certification Program helps device suppliers, enterprises and government organizations ensure that cellular-connected devices have appropriate security capabilities.
Sen. Warner and colleagues have tried to pass similar legislation in the past (PDF).
Warner, who was an early investor in the cellular phone business and co-founded the company that became Nextel, wrote to the Federal Trade Commission (FTC) in July 2016 raising concerns about the security of children’s data collected by internet-connected “Smart Toys.” In May 2017, the senator wrote a follow-up letter to acting FTC Chairwoman Maureen Ohlhausen reiterating his concerns following comments by the chairwoman that the risks of IoT devices are merely speculative, according to a press release.
The FTC ended up issuing updated guidance on protecting children’s personal data in connected toys. Warner also raised concerns about the proliferation of botnets composed of insecure devices after the DDoS attack on the nation’s internet infrastructure by the Mirai botnet. He also wrote to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly in May 2017 asking what steps the federal government had taken to defend against WannaCry ransomware.
“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner, who serves as executive and vice chairman of the Senate Select Committee on Intelligence, in a written statement. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
Sen. Hassan said that with everything from LED lights to thermostats connected to the internet, “we need to act swiftly to step up security for ‘internet of things’ devices to prevent hackers from disrupting our economy and threatening public safety. By requiring the federal government to only purchase devices that meet certain cybersecurity standards, this bill will help protect federal agencies against hackers who are seeking to exploit internet of things devices in order to steal critical national security information and the private data of Granite Staters and Americans.”
Last May, the Departments of Commerce and Homeland Security published a report highlighting the IoT market forces that reward low price and convenience at the expense of security. The May 2018 report recommended that the federal government should “lead by example” by requiring the acquisition of more secure and resilient products and services, particularly IoT.
Among other things, the IoT Cybersecurity Improvement Act would require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.