A move by the Senate that’s anything short of disastrous these days is something of a rarity, but the self-described world’s greatest deliberative body managed to come up with something good this week when two senators introduced legislation seeking to secure the Internet of Things. The product category, which covers internet-enabled devices that we don’t generally perceive as “smart,” like light bulbs and kitchen appliances, has become one of the most perilous threats to cybersecurity in recent years.
Made fast and cheap by manufacturers, many IoT devices have poor security restrictions that make them susceptible to hacking or remote control. Why, after all, does your Wi-Fi-enabled water bottle need encryption? But recent DDoS attacks have hinged on botnets composed of hundreds of thousands of unsecured IoT devices, bringing more attention to how a glut of poorly secured devices imperils the broader internet.
As a start, this week Senators Mark Warner (D-VA) and Cory Gardner (R-CO) introduced the Internet of Things Cybersecurity Improvement Act of 2017 to protect the federal government. The act ups security standards for vendors that sell internet-enabled technology to the government. Requirements include the ability to patch devices with security updates and prohibiting manufacturers from hard-coding admin passwords into firmware.
The bill also allows for security researchers to test devices and report vulnerabilities to manufacturers without fear of legal consequences. Security research requires those testing vulnerabilities to break security measures, potentially in violation of current technology regulations, like the outdated Computer Fraud and Abuse Act.
There is also, as Brian Krebs highlights, the seemingly gargantuan task of requiring each executive agency to inventory all of its internet-connected devices. These days, that might be easier said than done.
Commonsense regulations like these would go a long way toward bolstering internet security. Any tech firm hoping to land a government contract would need to comply with these new security regulations by making changes that would probably be applied to consumer sales as well.