The authors of draft legislation to impose security standards on Internet of Things devices purchased by the federal government are in listening mode for now, a senior Democratic congresswoman said Thursday.
A discussion draft of the House version of the Internet of Things Cybersecurity Improvement Act of 2017 is out, Democratic Rep. Robin Kelly of Illinois told the Dell Technologies Digital Transformation Summit produced by FedScoop.
“We want the stakeholders at the table,” as the bill is tweaked, she told CyberScoop in a brief interview after her keynote address, referring to tech companies, security experts and business lobbyists.
“We want to get [those views] so it can be developed in a broad bipartisan way,” she said.
Kelly, who is the ranking member of the IT Subcommittee of the House Oversight panel, said the bill is intended as a companion measure to the similar bill introduced in August in the Senate.
“It tracks the Senate version quite closely,” she said, mirroring that bill’s light touch regulatory approach.
Under the bill, each agency would get to draw up its own rules within broad guidance and pre-determined categories. That “flexibility” is important, Kelly explained, “because what works for one agency won’t necessarily work for all of them.”
One difference is that the House version would establish an Emerging Technologies Advisory Board, led by government scientists from the National Institute of Standards and Technology and including representation from the Department of Homeland Security, the National Technology and Information Administration, the General Services Administration, the Federal Communications Commission, the Federal Trade Commission “and representatives from private industry, nonprofits and academia.”
The bill is designed to leverage the government’s buying power, and emerging consensus standards to improve IoT cybersecurity.
The burgeoning IoT marketplace has created a rush to market by irresponsible manufacturers, she said.
“Unfortunately, this high-demand, lucrative market has has attracted bad actors who crank out cheap products that are insecure, unreliable and vulnerable to malware,” she said.
“We saw the consequences last year” of that with the attack on Internet routing provider Dyn, which brought the web to its knees on the East Coast.
“The proliferation of these devices [IoT] has made these attacks easier and more common,” she said.
The bill has a steep hill to climb, it appears. The sponsors of both House and Senate versions are Democrats and Republicans control Congress. Moreover, while business lobbies like the U.S. Chamber of Commerce and the Consumer Electronics Association pay voluble lip service to the need to improve IoT security, in practice they generally have objections to any efforts to do so through regulation.
The congresswoman said she was “hopeful,” nonetheless. “I couldn’t do this job if I wasn’t an optimist,” she said.