US Senate introduces IoT bill to improve security of connected devices
Image credit: Dreamstime
Republican and Democrat Senators are working together to introduce plans to address some security vulnerabilities in connected devices, in an early step towards protecting the Internet of Things (IoT) from attack.
Since its emergence, the IoT has been cautiously described as a global cyber security threat. Vital everyday objects – such as household appliances, cars, locks and medical instruments – become targets for cyber attackers when connected to the IoT. By 2020, researchers estimate that 20 to 30 billion devices are likely to be incorporated into the IoT.
In October 2016, such as connected toasters and webcams were used in a disruptive cyber attack which affected Spotify, Twitter, Netflix and other popular websites.
Aiming to ensure that these devices have some security measures in place when they come to market, the Internet of Things Cybersecurity Improvement Act was introduced to the Senate this week. It was drafted with the advice of technology experts at Harvard University and the Atlantic Council, and is sponsored by Republicans Cory Gardner and Steve Daines, and Democrats Mark Warner and Ron Wyden.
The proposed legislation would require manufacturers of internet-connected devices to ensure that their products – when sold to the US government – meet industry security standards, and are patchable. Devices with unchangeable passwords or known security vulnerabilities would be banned under the legislation. The US Office of Management and Budget could grant permission for government agencies to buy some less secure devices if other controls were in place.
“We’re trying to take the lightest touch possible,” Mr Warner told Reuters.
According to Mr Warner, the bill is intended to fix an “obvious” market failure which leaves manufacturers too little incentive to build strong security measures into their products.
The bill would also offer greater legal protection to researchers hacking equipment “in good faith” in order to identify vulnerabilities and motivate manufacturers to patch flaws.
“This bill will help to resolve some of the known issues plaguing so many IoT devices being hacked on a daily basis,” said Travis Smith, principal security engineer at Tripwire. “There are two issues I see with this bill which won’t help the overall security of these types of devices. When left up to the user, changing passwords and installing patches is not a priority.”
“For this bill to be successful there needs to be incentives for vendors to get their devices to a secure state. Releasing a device which is free from security bugs is time consuming and costly.”
According to a Senate aide involved in the drafting of the bill, similar legislation may soon be proposed in the House of Representatives.