Rep. Robin Kelly, D-Ill., will introduce new legislation this week to “address cyber vulnerabilities created by the adoption of Internet-connected devices,” and specifically cyber threats of internet of things (IoT) devices owned and used by the Federal government.
“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure,” Kelly, who is the ranking member of the Oversight and Government Reform Committee’s Subcommittee on Information Technology, said in a statement.
“Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices. It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”
The new legislation, which was initially released as a discussion draft in August 2017, would mandate that basic cybersecurity standards be “baked into” government-purchased IoT devices. If this sounds like déjà vu, Kelly’s legislation is fairly similar to a piece of legislation introduced and championed by Sen. Mark Warner, D-Va., in June. The key differences are how the two pieces of legislation define IoT devices, and that Kelly’s bill “further empowers agency CIOs with additional waiver powers.”
“For the last 16 months, I’ve actively sought feedback on my federal IoT cybersecurity discussion draft,” she said. “My goal was to create the best possible legislation to harden government-purchased and used IoT devices.”
In a press release, Kelly’s office noted that the legislation has already received praise from both the private sector and academia.
“Unsecured IoT devices are an enormous–and growing–risk,” said Jeff Greene, VP of Global Government Affairs and Policy at Symantec. “But it does not have to be that way; IoT devices can be secured, and the Federal government can set an example for the private sector.”
Jonathan Zittrain, professor of law and computer science at Harvard University, further stressed the Federal government’s ability to shape the wider IoT marketplace for the better.
“[This bill] leverages Federal purchasing power to create pro-security market pressure and, equally important, serves as a model for the implementation of similar standards elsewhere,” he said. “The bill commits to engaging with academic and private-sector security experts to help craft specific agency guidelines. Casting a wide net during the advisory phase will both yield better policy and, if done fully, meaningfully enfranchise non-governmental partners.”
Today’s bill announcement is likely the opening salvo of what will be a busy week for Rep. Kelly. The Subcommittee on Information Technology will be holding its marquee hearing on the 7th FITARA scorecard on Wednesday. Check back in with MeriTalk for the latest coverage on how agencies scored on their government report card.