Internet of Things
  A warning label “conveys a false sense of security \[especially if\] the vendor doesn’t commit to patching to maintain the out-of- the-box level of security.”
In 2016, the Mirai botnet was able to block and slow ac- cess to large portions of the internet by capitalizing on the computing power of thousands of connected devices and executing a distributed denial-of-service attack on a major internet infrastructure company.
Lieu and Markey’s bill is one of several that have been introduced in recent months to bolster the security stan- dards of connected devices (see “House bill seeks to secure IoT ecosystem.”) In August 2017, Sens. Mark Warner (D- Va.) and Cory Gardner (R-Colo.) introduced the Internet of Things Cybersecurity Improvement Act, which would put restrictions on the government’s acquisition of IoT devices and ban the purchase of unpatchable gear and devices with hard-coded passwords.
Warner and Gardner had investigated and ultimately rejected the warning-label approach, said Rafi Martina, a policy aide to Warner.
“We were increasingly convinced by talking to industry experts that there is no single static approach,” he added at an October meeting of the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board. A warning label “conveys a false sense of security \[especially if\] the vendor doesn’t commit to patching to maintain the out-of-the-box level of security.”
By focusing on the government sector, the legislation could encourage more mature and serious market entrants while discouraging “smaller fly-by-night” devices — the “stocking stuffers from the TJ Maxx checkout line,” Martina said. “We need to ensure that the bar is set in line with that \[higher\] level of maturity.”
It’s unclear whether the government’s purchasing power will be big enough to contribute to the security of the overall IoT ecosystem, but Martina said the emphasis is on making sure only secure devices connect to federal networks.
“That second-order effect is welcome,” he added, “but the first-order effect — the higher-level security in the govern- ment” — is the main goal of the legislation.
 16 November/December 2017 FCW.COM
— Derek B. Johnson
  House bill seeks to secure
IoT ecosystem
Rep. Robin Kelly (D-Ill.), ranking member of the House Oversight and Government Reform Committee’s IT Subcommittee, wants to improve the security and oversight of the emerging internet-of-things eco- system through an Internet ofThings Cybersecurity Improvement Act that would tighten standards on connected devices purchased by the U.S. government.
The bill, which has been released as a discussion draft, tracks closely with a Senate bill of the same name introduced by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.). However, Kelly’s bill pro- vides for an Emerging Technologies Advisory Board “to be led by the National Institute of Standards and Technology and include members from the Depart- ment of Homeland Security, the National \[Telecom- munications\] and Information Administration, the General Services Administration, the Federal Com- munications Commission, the FederalTrade Com- mission and representatives from private industry, nonprofits and academia.”
Kelly told FCW that “technology and security best practices change quickly, and we must be able to adapt just as quickly to address and counter these threats.The board will be tasked with reviewing and providing updated guidance and waiving required guidance, in part or in whole, based on changing conditions.”
Additionally, the bill lays the groundwork for new disclosure requirements for vendors that supply the government with connected devices. Kelly said her goal is not to overregulate the acquisition process and noted that “sector-specific regulators will devise more precise rules to address the unique risks to each sector.”
— Ben Berliner
Congress