- A group of bipartisan senators have proposed a law to secure the Internet of Things, placing the onus on manufacturers to adequately secure internet-connected devices. U.S. Senators Mark Warner, D-VA, and Cory Gardner, R-CO, co-chairs of the Senate Cybersecurity, have teamed with Sens. Rony Wyden, D-WA, and Steve Daines, R-MT, on the legislation, according to an announcement.
- Under the proposed IoT Cybersecurity Improvement Act of 2017, vendors supplying IoT devices to the U.S. government would have to ensure the devices do not have hard-coded passwords, are patchable and are free of known security flaws. It would require executive agencies to inventory all IoT devices in use.
- The legislation also emphasizes the need for more security research to help create "coordinated vulnerability disclosure policies" for federal contractors supplying devices to the government. It also would remove liability for cybersecurity researchers acting in good faith.
The senators are on to something in their efforts to secure the IoT. But the effort falls short of creating U.S. standards necessary to actually protect against compromised IoT devices. The legislation focuses on the government procurement process, without touching on the security of publicly available IoT devices, installed by businesses and consumers.
Gartner predicts an estimated 8.4 billion IoT devices will be in use globally this year. By 2020, that number could reach 20.4 billion. Security, however, remains IoT's Achilles Heel. Manufacturers focus more on functionality than security, leaving many devices exposed for exploitation.
The legislation is in part a reaction to October's major DDoS attack, which highlighted serious vulnerabilities in the underlying internet infrastructure. The Dyn DDoS attack employed tens of millions of IP addresses from compromised IoT devices, bringing down large swaths of the internet.
So while the IoT legislation would work to secure IoT vulnerabilities across government agencies, it does little to prevent lax security measures of devices in production. Attackers may not be able to use government devices to create a botnet, however they have millions of other easily compromised devices to employ.
Innovation in tech consistently moves faster than legislation, and cybersecurity shortcomings are a result of that. Efforts to secure devices and ensure industry standard security practices come too late, often a reactionary move to a crippling cyberattack. Until legislation moves to prevent security shortcomings, large scale cyberattacks will persist.