Fearing hackers, US senators propose 'internet of things' security standards
Senators Cory Gardner (R-Colorado) and Mark Warner (D-Virginia) are the main sponsors of the “Internet of Things Cybersecurity Improvement Act” of 2017, along with Steve Daines (R-Montana) and Ron Wyden (D-Oregon).
The bill would establish industry security standards for internet-connected devices, and require any vendors who wish to work with the US government to adhere to the measures. Federal agencies could request exemptions, but they would have to be approved by the Office of Management and Budget (OMB).
Technology companies would be prohibited from hard-coding passwords into the firmware of the devices they sell to the government, which is a potential security flaw many experts have blamed for the October 2016 outage that affected Amazon, PayPal, Reddit, Spotify and Twitter, among others.
The responsibility for issuing guidelines for updates and replacement of noncompliant devices is delegated to the National Institute of Standards and Technology (NIST), an agency under the Department of Commerce.
The bill would also amend the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act (DMCA) with carve-outs for persons who test the cybersecurity of devices “in good faith,” thus protecting researchers from being held liable under hacking laws.
"We're trying to take the lightest touch possible," Warner told Reuters, adding that the law was intended to fix an “obvious market failure” where makers of internet-enabled devices have little incentive to keep security in mind.
Warner is the ranking member on the Senate Select Committee on Intelligence, and a leading proponent of the argument that Russia interfered in the 2016 US presidential election through cyberattacks and even “fake news” tailored for particular counties in swing states.
The market is “not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests,” Bruce Schneier, a cybersecurity expert and Harvard University fellow who consulted on the bill, told ZDNet.
Technology experts at the Atlantic Council also worked on the bill, Reuters noted without naming anyone. The senior fellow on the council’s Cyber Statecraft Initiative is Dmitri Alperovitch, the CEO of CrowdStrike, the company hired by the Democratic Party to investigate the alleged hack of their computer systems last June. While CrowdStrike has accused the Russian government of the hack, the FBI was never allowed to conduct any forensic analysis on the DNC servers to verify the accusations.
Internet-connected devices are proliferating so fast there may be up to 30 billion of them by 2020, according to Reuters, most of them not secure.
On Tuesday, cybersecurity researcher Mark Barnes described a technique he used to install malware on an Amazon Echo and silently stream audio from the hacked home device to his own remote server.
The attack requires physical access to the Echo and only affects the devices sold before 2017, but there is no software fix for older devices, and the hack leaves no signs of hardware intrusion, wrote Barnes, who works for the UK-based MWR Labs.