US SENATORS are planning to introduce draft legislation next week that would require makers of Internet of Things (IoT) devices to ensure that their products are patchable and conform to industry standards for security.
The legislation is a bi-partisan effort led by Democratic Party senators Mark Warner and Ron Wyden, and Republicans Steve Daines and Cory Gardner.
Although relatively modest in scope, the legislation represents a first step to requiring device makers to start taking responsibility for the security of products connected to the internet. "We're trying to take the lightest touch possible," Warner told Reuters.
He added that the legislation was intended to remedy an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind.
It echoes thinking from security specialists such as Bruce Schneier, who have suggested that sensible, rather than heavy-handed legislation is required to push device makers to improve the security of their products.
In November last year, following the Mirai malware attacks that compromised chronically insecure internet-connected CCTV systems, Schneier wrote: "The technical reason these devices are insecure is complicated, but there is a market failure at work…
"The teams building these devices don't have the security expertise we've come to expect from the major computer and smartphone manufacturers, simply because the market won't stand for the additional costs that would require.
"These devices don't get security updates like our more expensive computers, and many don't even have a way to be patched. And, unlike our computers and phones, they stay around for years and decades… Like pollution, the only solution is to regulate," wrote Schneier.
The draft legislation was put together with help from IT specialists from the Atlantic Council and Harvard University. It would also expand protection for security researchers to hack equipment with the purpose of finding vulnerabilities. µ
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe