Internet of Things Cybersecurity Improvement Act of 2020
BREAK IN TRANSCRIPT
Ms. KELLY of Illinois. Mr. Speaker, I thank the chairwoman for yielding.
Mr. Speaker, in October 2017, the IT Subcommittee held a hearing on cybersecurity of the Internet of Things. This hearing was largely held in response to the Mirai botnet, a massive Distributed Denial of Service, or DDoS, attack, which left the internet inaccessible for much of the East Coast.
IoT devices have processing power and an internet connection, but often have little security and no built-in ability to be patched remotely. IoT devices can range from your home routers, security cameras, and baby monitors to smart appliances and industrial sensors.
During the Mirai attack, hackers attempted to log in to common devices using 61 username-password combos that are frequently used as a default for IoT devices and never changed. This tactic gave them access to hundreds of thousands of unsecured IoT devices.
This attack served as a wake-up call.
In 2018, Lieutenant General Robert Ashley, DIA Director, described the exploitation of insecure IoT devices as one of the two ``most important emerging cyber threats to our national security.'' This is why I urge my colleagues to support this bipartisan legislation.
During the hearing and subsequent process, we learned that the U.S. Government is purchasing these IoT devices without a standard for security to prevent them from being used in such an attack or used as an unauthorized access point to U.S. Government networks.
Bipartisan and bicameral conversations necessitated the introduction of this legislation.
H.R. 1668, the IoT Cybersecurity Improvement Act, aims to address supply chain risk to the Federal Government stemming from insecure IoT devices. By establishing light-touch, minimum security requirements for procurement of connected devices by the government, this bill has two main focuses: ensuring the government is purchasing secure devices and resolving critical vulnerabilities to existing devices.
Building upon the amazing work over at NIST, the bill has NIST- published guidelines on the appropriate use and management of Internet of Things devices owned or controlled by a government agency. At a minimum, it will address secure development, identity management, patching, and configuration management for IoT devices.
Following this, OMB will take these guidelines and issue policies and principles consistent with the current law.
To ensure these devices stay secure, this bill creates a coordinated vulnerability disclosure program to receive information about a device's related vulnerabilities.
To improve U.S. cybersecurity and the security of American citizens, agencies would be prohibited from purchasing devices that fail to comply with the minimum security policies and vulnerability disclosure guidance.
Throughout the entire process, I have worked hard to ensure that the requirements of this bill do not impede or conflict with the current and good efforts of NIST or CISA. Both agencies have been issuing excellent guidance on IoT devices and Coordinated Vulnerability Disclosures, and they should be commended for their proactive work and their engagement with me and my team during this process.
This bill offers Congress the opportunity to secure our Federal infrastructure from threats, both foreign and domestic. We cannot wait as more devices are connected to government networks that could potentially become part of a botnet or an entryway for hackers.
I want to thank everyone: experts, industry leaders, civil society leaders, and my colleagues who made comments and helped us craft a bill that is bipartisan and solves a real problem.
Finally, I have been proud to have worked with my friend and colleague Will Hurd on this legislation. He has always been there when I needed a partner on IT legislation, and he has taught me a lot about technology. His absence from this Chamber will be sorely missed.
I also want to thank Senators Warren and Gardner for working with me on this legislation.
This is a strong bill that I believe can pass both Chambers and be signed into law. I hope my colleagues will join me in supporting this important bipartisan piece of legislation.
BREAK IN TRANSCRIPT