U.S. senators to introduce bill to secure 'internet of things'
Author:
Dustin Volz, Editing by Bill RigbyAugust 1, 2017
(Reuters)
- A bipartisan group of U.S. senators on Tuesday plans to introduce legislation
seeking to address vulnerabilities in computing devices embedded in everyday
objects - known in the tech industry as the "internet of things" -
which experts have long warned poses a threat to global cyber security. The new
bill would require vendors that provide internet-connected equipment to the
U.S. government to ensure their products are patchable and conform to industry
security standards. It would also prohibit vendors from supplying devices that
have unchangeable passwords or possess known security vulnerabilities.
Republicans
Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are
sponsoring the legislation, which was drafted with input from technology
experts at the Atlantic Council and Harvard University. A Senate aide who
helped write the bill said that companion legislation in the House was expected
soon.
"We're
trying to take the lightest touch possible," Warner told Reuters in an
interview. He added that the legislation was intended to remedy an
"obvious market failure" that has left device manufacturers with
little incentive to build with security in mind.
The
legislation would allow federal agencies to ask the U.S. Office of Management
and Budget for permission to buy some non-compliant devices if other controls,
such as network segmentation, are in place. It would also expand legal
protections for cyber researchers working in "good faith" to hack
equipment to find vulnerabilities so manufacturers can patch previously unknown
flaws.
Security
researchers have long said that the ballooning array of online devices
including cars, household appliances, speakers and medical equipment are not
adequately protected from hackers who might attempt to steal personal
information or launch sophisticated cyber-attacks.
Between
20 billion and 30 billion devices are expected to be connected to the internet
by 2020, researchers estimate, with a large percentage of them insecure. Though
security for the internet of things has been a known problem for years, some
manufacturers say they are not well equipped to produce cyber secure devices.
Hundreds of thousands of insecure webcams, digital records and other everyday
devices were hijacked last October to support a major attack on internet
infrastructure that temporarily knocked some web services offline, including
Twitter, PayPal and Spotify.
The
new legislation includes "reasonable security recommendations" that
would be important to improve protection of federal government networks, said
Ray O'Farrell, chief technology officer at cloud computing firm VMware.
