August 4, 2017
Sen. Mark Warner, a Virginian Democrat, and Sen. Cory Gardner, a Republican from Colorado, have teamed up on a cyber-security bill aimed at what — for Congress, at least — is an entirely new problem. The bill focuses on the Internet of Things, or IoT.
The measure will regulate the quality of internet-connected devices sold to federal agencies, ensuring they meet security standards including the ability to be patched with new security updates and a ban on hard-wiring passcodes directly into the devices.
The bill, which was introduced last week and is titled the Internet of Things Cybersecurity Improvement Act of 2017, can be read in full here. But you don’t want to read it. You want to know what industry experts think of the move. TechCo has discussed the issue with two experts, and they both agreed: It’s a step in the right direction, but it still has a major blind spot.
The Regulations Are Only Federal
So what’s the problem? The law doesn’t extend to the entire industry, as Danielle Jackson, Chief Information Security Officer at SecureAuth, explains.
“The good news is that attention is now being paid to the security in products that we, as U.S. consumers, are purchasing at an increasing rate,” Jackson states.
“But the regulations within this proposed bill apply exclusively to the federal government. So how are independent consumers benefitting from the same security features and enhancements that would be required of products being sold to the federal government? Will all vendors of any products be held to the same standards, even if the products are not purchased by the federal government? Will vendors be able to pick and choose what models are sold to the government and to consumers? Will there be a standard requirement for all goods and technology sold in the U.S. (ex: no hard-coding of passwords into firmware, etc…), especially for those devices where personal data is collected?
This bill should challenge us all, as consumers and vendors.”
Too often, consumers sacrifice security and privacy for their tech products, Jackson added. If this concern isn’t addressed, our cyber security problems will only get worse.
Manufacturers Should Work to Secure the Market
David Dufour, Senior Director of Cybersecurity and Engineering at Webroot, agrees that Sens. Gardner and Warner are making the right move in introducing the bill, saying that IoT devices present a “very real danger.” He too urges manufacturers to work proactively, noting that attackers typically exploit “basic” security holes and can be prevented.
“We’re also seeing that companies are offering their IoT devices at competitive prices that consumers can afford. The consequence is that they often slash after-purchase updates to firmware and software that are crucial to keeping these devices secure,” Dufour says.
“Manufacturers need to work together and with cybersecurity professionals to secure the proliferating IoT device market. Extracting hard-coded passwords from the firmware and expert testing of IoT device defenses are a good start. I also recommend that the Senate tap the breadth of security expertise within the private sector to help solve this problem.”
The measure will help make federal agencies less vulnerable to exploits. Hopefully, the entire IoT industry will soon follow the government’s lead on this one.
Read more about cybersecurity on TechCo
Did you like this article?
Get more delivered to your inbox just like it!