This article originally appeared on Network World by Gary Eastwood.
As a free and open internet continues to come under assault by the FCC’s proposal to effectively end net neutrality, investors, programmers, and internet users of all stripes have vociferously voiced their support of the Internet of Things (IoT) and the open web that enables it. It appears those voices have been heard, as the U.S. Senate may be taking steps to secure the IoT’s future.
So, what exactly is the U.S. Senate up to, and how might its actions impact the health of the IoT? What are the specifics of the bill in question, and how might its text impact American’s everyday lives as they make use of the IoT?
A hopeful IoT security bill
A new bipartisan bill published Tuesday by Sen. Mark Warner (D-Va.) and Sen. Cory Gardner (R-Colo.), the Internet of Things Cybersecurity Improvement Act of 2017, hopes to beef up America’s internet security. The bill highlights the enormous complexity of the IoT and the huge benefits it provides to the American economy, but it also notes the fragility and vulnerability of the system to outside attacks.
The crux of the bill is that it will force companies which sell web-connected devices to the U.S. government to do more to ensure the cybersecurity of said devices. Vendors to the government must ensure that whatever gadgets they sell to Uncle Sam are patchable, don’t contain vulnerabilities, and don’t contain hard-coded passwords, amongst other measures.
The bill also directs the Office of Management and Budget to develop alternative network-level security requirements for devices with limiting processing capabilities. Critically, it even mandates that the government inventory all internet-connected devices used by executive agencies, a hurdle which could prove to be insurmountable.
Securing the IoT is a herculean task, and even the U.S. Senate may not be fully cut out for the job. Some analyst expect IoT spending to rocket to over $800 billion by the end of 2017, meaning the government and its private vendors will be dealing with millions if not billions of individual gadgets and devices. As the expansion of the IoT shows no signs of slowing down, the number of devices affected by the legislation and the funds needed to carry it out will only grow with time.
The firm Govini has previously reported that government spending on sensors nearly tripled from FY2011 to FY2015, as well. As the government and its private contractors employ more sensors, keeping track of them and ensuring they’re adequately patched to prevent security-breaches could become virtually impossible.
The senators sponsoring the bill appear to be well aware of its potential limitations, and they have included sections that may make it easier for government officials to comply with it in the bills’ text. Agencies could purchase devices that are non-compliant with the bill, for instance, as long as they get permission from the OMB and demonstrate that the devices are still secure.
Preventing future IoT attacks
The legislation is the most concrete response yet to the devastating 2016 cyber attack that crippled portions of the internet. Experts say the attack, which brought down highly trafficked sites such as Reddit, Twitter, and CNN, was largely carried out by a botnet made up of IoT devices.
While many consumers may worry that their home appliances may be highjacked by malevolent hackers, the real threat to the IoT could come from further large-scale attacks such as that seen in 2016. As more and more devices connect to one another, somethings Movers Corp. is finding out, malicious malware can gain access to lightly protected IoT devices across the nation and enlist them in its brutal attacks.
The European Commission has already attempted to tackle the problem of IoT security, meaning the U.S. Senate will be able to look elsewhere for guidance as they attempt to craft their own legislation. Both the new EU rules and the bill being pushed in the U.S. senate could end up costing vendors who create and sell appliances to governments a pretty penny, but the additional regulations are likely the only way to secure the rampantly ungoverned IoT.
Major tech companies such as Apple and Microsoft already regularly deliver updates and patches to their consumers’ gadgets, often on a monthly basis. The new IoT bill could essentially work to force vendor’s hands so that they, too, have to take more steps to ensure IoT security before passing their gadgets off to government workers who may be unfamiliar with IT.
The push for greater IoT security is not new to Sen. Warner, who has lobbied the FCC in the past for more stringent rules on data security. Whether the bill gains enough support to pass in an increasingly gridlocked congress remains to be seen, but taking action to ensure the IoT’s health and security are a step in the right direction.