Dustin Volz, reporting for Reuters: A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects -- known in the tech industry as the "internet of things" -- which experts have long warned poses a threat to global cyber security. The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.
Devil is in the details (Score:4, Interesting)
It's good they're trying to do something, but the devil is in the details. For example, define "vulnerability". Anyone who's tried to remediate Nessus findings knows what I mean - those Low findings that just. won't. go. away. And do they mean internal or external vulns? etc, etc. And these things won't be determined in the law, they'll be decided by the bureaucrats implementing it. Pray that they're smart.
Instead of Perimeter Security (Score:1)
Instead of encouraging robust perimeter security and a well thought out security model, let's just require expensive and ineffective security on every single little thing.
Re: (Score:2)
A good idea (Score:1)
Not requiring standards for the entire industry, but for vendors to the Federal government which, if they work, will then propagate as de facto requirements for the private sector.
Hopefully... (Score:3)
I always feel so much safer when... (Score:2)
A non-legislative approach (Score:2)
He added that the legislation was intended to remedy an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind.
This guy gets it. But I was hoping for a market solution. The government could start by requiring vendors of US government products to meet certain guidelines. States could require that police and government tech meets a standard. That typically makes civilian companies jump on board and require similar guidelines. Then individuals start to say "Oh, I only buy IP cameras that meet FIPS-12345 standards."
This approach is nice because it is flexible, and allows the market to decide what standards to apply
Please... (Score:3)
Spinning wheels (Score:2)
It's more important to APPEAR that you're doing something, than it is to ACTUALLY do something.
How exactly do they propose to secure a marketing term? Cause that's all "Internet Of Things" is. It means absolutely nothing. While they're at it, why don't they also try to secure Big Data, The Cloud, and Web 2.0?
Patchable != Patched (Score:2)
If the end game of IoT is to be ubiquitous then there is no way that you can rely on manual intervention to keep things up to date and secure. So how will this all be enforced?