The vice chairman of the Senate Intelligence Committee is citing the recent disclosure of malware exploring a Department of Defense server to push for passage of his Internet of Things Cybersecurity Improvement Act.
Sen. Mark Warner (D-Va.) pointed out in a statement that it was a vulnerability exposure regime at DOD that allowed a researcher to report the malware and said his bill would help advance similar programs that could be coordinated with the DOD procedures in place. Warner's bill was reported out of the Senate Homeland Security and Governmental Affairs Committee last June, but has yet to be voted in the Senate.
Znet reported that the researcher had first discovered that a DOD server running on Amazon Web Services' cloud platform was publicly accessible without credentials, then that it had been hacked and was being used by a botnet to mine cryptocurrency.
It would make sure government IoT devices are as secure as they can be, including by requiring transparency and disclosure from contractors. The bill now heads to the full Senate for a vote. It would also require government-purchased devices to meet a minimum level of security.
“This incident demonstrates the inherent value of vulnerability disclosure programs for information technology products operated by federal agencies,” Warner wrote in a letter to DOD CIO Dana Deasy. “These programs are a crucial force multiplier for federal cybersecurity efforts. Clear guidelines and a process for security researchers to find and share vulnerabilities enabled this malware discovery, and ultimately prompt remedial action by DOD," he said. "Continuing to encourage the responsible discovery and disclosure of bugs or vulnerabilities on federal information technology systems with both internal and outside security researchers can only strengthen the cybersecurity posture of federal and DOD systems.”