On 1 August, several American senators unveiled a bipartisan bill to mandate baseline cyber security requirements for internet-connected devices purchased by the federal government.
The bill follows a number of recent attacks which demonstrated that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.
According to an analysis of the bill by Norton Rose attorneys David Navetta, Boris Segalis and Anna Rudawski, the bill proposes implementation of basic security requirements for interconnected devices purchased by the federal government.
Under the proposed law, federal suppliers would be required to monitor and patch cyber security vulnerabilities.
The bill would require that suppliers of internet connected devices to the federal government:
- Provide written certification that the product does not contain any known security vulnerabilities.
- Use software and components that can be updated and patched.
- Refrain from using hard-coded credentials or passwords.
- Notify the purchasing agency if any defects are discovered.
- Update software or replace components that create vulnerabilities.
- Repair new security vulnerabilities in a timely manner.
- Continue to support the device or provide the purchasing agency notice when cyber security support ends.
“Recent events show that the IoT is an attractive vector for a cyber attack,” said Norton Rose.
“By mandating that suppliers meet basic security requirements, the federal government is pushing the market to take cyber security considerations into account as early as the product and system design phases. Further, by requiring post-sale monitoring of vulnerabilities, the government is requiring entities to monitor and enhance a device’s cyber security throughout its life-cycle.”
“Given the federal government’s purchasing power, this bill could move the entire IoT market toward better cyber security practices.”