After years of warnings about the parlous state of Internet of Sh!t security, the US Senate has finally introduced legislation on the matter.
The Internet of Things Cybersecurity Improvement Act would require that IoT devices purchased by the American government must not have any known security vulnerabilities, must have the ability to be patched, and may not have hardcoded passwords built in. It mandates that every government department inventory all IoT devices on their networks.
"Information is a form of currency," co-sponsor Senator Steve Daines (R‑MT) stated. "We need to have proper safeguards in place to ensure that our information is protected, while still encouraging innovation."
The bill also directs Homeland Security to come up with a vulnerability disclosure program so that departments can get patched and updated. Another requirement says the Office of Management and Budget must come up with reasonable standards as to what IoT security should actually entail.
"The proliferation of insecure Internet-connected devices presents an enormous security challenge," said Bruce Schneier, infosec expert and a lecturer at Harvard Kennedy School of Government.
A key element of the proposed legislation is that it would make it legal for security researchers to tear these devices apart and search for security bugs. Currently a broad interpretation of the Digital Millennium Copyright Act means that a company could prosecute a researcher who looks into the firmware for breaking the terms and conditions of its use.
"The risks are no longer solely about data," Schneier warned. "They affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his co-sponsors for nudging the market in the right direction."
Co-sponsor Senator Ron Wyden (D‑OR) said: "I've long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act,"
This bill is a bipartisan, common-sense step in the right direction. Enacting this bill would help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals."
The bill actually looks pretty good – out of the ordinary for tech laws – and corresponding legislation is close to being introduced in the House of Representatives. There is, however, one glaring flaw, besides the fact that the described perfect devices are incredibly rare if not impossible (all software sucks).
No, that glaring flaw is: the act only applies to government purchases, so consumers are still screwed for the time being.
"The odds of a consumer protection bill being passed right now are zero," Schneier told The Register. "The odds of the government protecting itself are at least not zero." ®