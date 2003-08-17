from the the-S-in-IoT-stands-for-security dept.
Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government's purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely-perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyber attacks in 2016 that were fueled for the most part by poorly-secured "Internet of Things" (IoT) devices.
The IoT Cybersecurity Improvement Act of 2017 seeks to use the government's buying power to signal the basic level of security that IoT devices sold to Uncle Sam will need to have. For example, the bill would require vendors of Internet-connected devices purchased by the federal government make sure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold.
[...] The bill's provisions would seem to apply to virtually any device that has an Internet connection and can transmit data. Under the proposal, an IoT device has a fairly broad definition, being described as "a physical object that is capable of connecting to and is in regular connection with the Internet;" and one that "has computer processing capabilities that can collect, send or receive data."
[...] The measure also directs the Department of Homeland Security to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. government.
[...] A full text of the Senate proposal is available here.
Source:
https://krebsonsecurity.com/2017/08/new-bill-seeks-basic-iot-security-standards/
(Score: 0) by Anonymous Coward on Thursday August 03, @08:12PM (2 children)
I bet that prices go up for anything that passes this government requirement. Any takers?
(Score: 2) by tibman on Thursday August 03, @08:53PM (1 child)
Plenty of civilians buy "mil-spec" for its supposed higher quality. Companies get a new badge to stick on their products to entice users to buy their product over a competitor.
(Score: 2) by DannyB on Thursday August 03, @08:58PM
The reason people buy "mil-spec" is to get older technology, that runs slower, and ensures that you won't get any technology upgrades for a long, long time, if ever. Those are the primary selling points.
(Score: 2) by ikanreed on Thursday August 03, @08:27PM (1 child)
plz install more backdoor, thx
(Score: 2) by DannyB on Thursday August 03, @09:05PM
You don't need a back door because grand juries indict 99.99 % of the time.
(Score: 2) by DannyB on Thursday August 03, @08:56PM
I have suggested this before.
Simply make IoT device manufacturers liable for any actual damages caused by their devices getting hacked. By "liable", I mean make it easy to recover those damages.
I am NOT proposing any kind of government certification. Or registration. Or mandatory design standards. Or government testing program. (Although the market could create voluntary testing and certification programs, sort of like UL, to assure consumers.)
That is the only legislation that is needed. Just fix the perverse incentives. Right now the incentive is for IoT manufacturers to ignore security and let others bear the costs of getting DDOS'ed or worse from the hacked IoT devices.
Manufacturers might even cooperate on the security of a Linux distribution that they could all build their IoT devices upon.
Manufacturers would have to consider whether they should (or should not) have an update mechanism.
This might increase the cost of IoT devices -- which is as it should be. Right now, the victims of the hacking bear the costs of their damages. And those are third parties who didn't even buy the cheap lousy insecure IoT devices. Manufacturers might consider whether certain things should even be IoT devices or connected to the clod. Do we really need any clod connected teddy bear toys?
As for "startups couldn't bear the risk this would impose", I would argue that I have the same expectation of a $1,200.00 cloud connected toaster as I have of a $12 toaster from Target -- that it won't burn my house down. I should have the same expectation that neither the $12 toaster nor the $1,200.00 iToaster are going to get hacked and cause actual damages, DDOS attacks, or ransomware attacks.
(Score: 2) by krishnoid on Thursday August 03, @08:59PM (1 child)
Seems like this would be a good opportunity to start pushing IPv6, since (in my limited understanding) it provides packet traceability/authentication (?), and makes a clean break with the smaller IPv4 space as internet-connected devices start scaling up by an order of magnitude and beyond. I'm sure there are some drawbacks though.
(Score: 2) by DannyB on Thursday August 03, @09:02PM
IPv4 will never go away. There is a limited amount of it. Supply and demand forces the price of static IPs to go up. There is money to be made. IPv4 will never go away.
