Senate bill on IoT standards looks to secure connected devices
The US Senate has introduced a new bill that seeks to create a set of minimum security standards for a range of Internet of Thing (IoT) devices purchased by the US government.
And it has the potential to affect a huge amount of tech, as the bill defines any IoT device as a physical object capable of connecting to the Internet, and one that has the processing capabilities, coupled with the ability to collect, send or receive data.
The move comes After the European Union last year pledged to push industry governance measures that would improve the security of Internet-connected devices. And experts have long said that cyber security needs to be at the forefront of the IoT push.
The bill essentially wants to ensure that these types of devices (i.e routers, cameras, computers etc) used by any US federal agency using these of types are patched as soon as the security updates are available.
The Bill, according to security journalist Brian Krebs, also seeks to ensure that devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold.
The bill is called the ‘IoT Cybersecurity Improvement Act of 2017‘, and it has the backing from across the political spectrum in the US, as it was introduced by Republican Senators Steve Daines and Cory Gardner, as well as Democrat senators Mark Warner and Ron Wyden.
The proposal directs the White House Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
And all government agencies have to compile an inventory of all Internet-connected devices in use by the agency.
There has long been concern that professional cyber criminals for hire could attack IoT systems and critical infrastructure, like power grids, from across the internet at the behest of terrorist groups and nation states.
That incident recalled a similar case in 2015 when a security firm found a botnet made up of 900 CCTV cameras was launching an attack on an unnamed cloud services provider.