August 2, 2017

Securing the Insecurities of the Internet of Things



There are real concerns related to the deployment and growth of the Internet of Things (IoT) sector. Chief among them is the issue of cybersecurity. As recent events like last October’s Mirai botnet attack show, the IoT is still wrestling with fundamental issues of insecurity. Luckily, a bipartisan group of senators has taken the first step in addressing some of these issues.

Today, Sens. Mark Warner (D-VA), Steve Daines (R-MT), Cory Gardner (R-CO), and Ron Wyden (D-OR) released the Internet of Things Cybersecurity Improvement Act of 2017. The bill would apply flexible, practical, and substantive cybersecurity guidelines for federal procurement of IoT devices. In addition, the bill immunizes security researchers from liability under the Computer Fraud and Abuse Act for engaging in systems penetration testing. Those protections are an important, and under-addressed, component of the cybersecurity debate, which ensures that researchers acting in good faith can test the integrity of networked systems without fear of being prosecuted.

As we move into an age where the lines between the digital and analog worlds are becoming increasingly blurred, cybersecurity will only grow in importance. In a recent comment filed with the National Telecommunications and Information Administration, the Niskanen Center pointed to a number of additional approaches that could help fortify the security landscape of the IoT. We argued that the government can play a positive role in promoting innovation while defending the online ecosystem by:

  1. Defending intermediary liability protections for content delivery networks and other online service providers;
  2. Continuing to embrace the Framework for Global Electronic Commerce as the guiding principles governing the Department’s perspective on IoT regulatory approaches;
  3. Leading on embracing cybersecurity insurance by implementing federal cybersecurity insurance requirements for contractors, examining the feasibility of providing tax breaks for insurers, and permitting data sharing to help develop actuarial assessments of the cybersecurity threat landscape;
  4. Promoting information-sharing initiatives between the public and private sectors; and
  5. Codifying the vulnerabilities equities process in law to ensure appropriately-vetted zero-day exploits can be quickly and effectively disseminated for patching.

While there remains much to be done to ensure the security of the growing and evolving online ecosystem, today’s IoT cybersecurity bill moves us in the right direction. The Niskanen Center applauds the thoughtful consideration Sens. Warner, Daines, Gardner, and Wyden put into this piece of legislation.

Ryan Hagemann is the Director of Technology Policy at the Niskanen Center