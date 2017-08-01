Slashdot is powered by your submissions, so send in your scoop

 


US Senators To Introduce Bill To Secure 'Internet of Things' (reuters.com) 37

Posted by msmash from the tightening-things dept.
Dustin Volz, reporting for Reuters: A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects -- known in the tech industry as the "internet of things" -- which experts have long warned poses a threat to global cyber security. The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.

  • Devil is in the details (Score:5, Interesting)

    by Lord_Byron ( 13168 ) on Tuesday August 01, 2017 @12:48PM (#54920267)

    It's good they're trying to do something, but the devil is in the details. For example, define "vulnerability". Anyone who's tried to remediate Nessus findings knows what I mean - those Low findings that just. won't. go. away. And do they mean internal or external vulns? etc, etc. And these things won't be determined in the law, they'll be decided by the bureaucrats implementing it. Pray that they're smart.

    • $100K year per site + 1K / year per device to HPE to manage it. Labor costs extra

    • It reminds me of that court case vs Toyota where they were citing (iirc) strcpy as proof that there was a braking issue. Not the usage of strcpy, no... just the presence of it. Not reproducing a bug... just show that strcpy was being used.

      The hand-waving loose definitions non-coders get when they talk about code is amazing. While I think some regulation might be good, it would be a pretty jarring shift in how fast-and-loose the majority of the industry has become with code these days if people actually beca

    • My question about "securing". Is this more to secure the device against the user wanting to do stuff with it (anti-jailbreak), or secure it against remote bad guys? I worry every time I see anything government based going into security, because I expect more DMCA type stuff, and not stuff that actually keeps the bad guys out.

  • Instead of encouraging robust perimeter security and a well thought out security model, let's just require expensive and ineffective security on every single little thing.

    • Re: (Score:2)

      by Bengie ( 1121981 )
      Most professionals are too incompetent to properly implement perimeter security, what makes you think a typical end user can? There was a discussion in a firewall forum about how someone purchased some VOIP device for their business because it's standard in their industry, and the official support said they need to forward TCP and UDP ports 4,000-60,000. Why not just drop it in the DMZ while we're at it? This user has no choice but to use this device, otherwise they alienate all of their customers.

    • You can't legislate perimeter security. IoT devices run on home networks too, and no sane person is going to start arresting people for misconfiguring their wifi routers.

      If each device implements basic hardening and gets security updates, we eliminate 99% of the current problems. Since manufacturers will probably ship the same firmware to home users, that unregulated wasteland will get a little better over time.

      This bill only applies to equipment that vendors intend to sell to the US government. More sweepi

      • But you can legislate greater security for wifi routers. You're right that you can't punish people for not doing something they shouldn't need to know how to do. They can even be marketed as 'more secure wifi routers' and I bet people will buy them. Plus cheap IoT devices to plug into them.

        Securing at the endpoint drives up the price of said endpoint devices. It creates a regulatory environment with a high barrier to entry for new businesses.

      • What about redundant systems with rolling updates so you can update an router with out taking the site down.

  • A good idea (Score:1)

    by Anonymous Coward

    Not requiring standards for the entire industry, but for vendors to the Federal government which, if they work, will then propagate as de facto requirements for the private sector.

  • Hopefully... (Score:3)

    by thegreatbob ( 693104 ) on Tuesday August 01, 2017 @12:53PM (#54920291) Journal
    Not holding my breath, but hopefully this will result in something resembling sanity. Tired of the pollution of the internet with crap configurations that would have smelled funny even in 1997. In addition to regulations for manufacturers, the end user REALLY needs to become educated about the dangers of connecting stuff all willy-nilly.
  • ...legislators get busy solving technical problems they don't understand. We all know they will direct us toward more superfluous complexity that we need to work around, but at least that produces more job security for me. So, in a way, those popular people are the experts at creating security!

  • A non-legislative approach (Score:3)

    by MobyDisk ( 75490 ) on Tuesday August 01, 2017 @12:55PM (#54920311) Homepage

    He added that the legislation was intended to remedy an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind.

    This guy gets it. But I was hoping for a market solution. The government could start by requiring vendors of US government products to meet certain guidelines. States could require that police and government tech meets a standard. That typically makes civilian companies jump on board and require similar guidelines. Then individuals start to say "Oh, I only buy IP cameras that meet FIPS-12345 standards."

    This approach is nice because it is flexible, and allows the market to decide what standards to apply. I fear Senators trying to write tech legislation.

  • Please... (Score:3)

    by kurkosdr ( 2378710 ) on Tuesday August 01, 2017 @12:57PM (#54920317)
    Please... please... if some deity is listening, make it so this becomes a law. It's quite sad seeing my perfectly serviceable Nexus 4 and 5 not receive basic security patching, and this has already spread to TVs, and soon vaccum cleaners and smoke detectors are to follow.

  • Spinning wheels (Score:3)

    by ilsaloving ( 1534307 ) on Tuesday August 01, 2017 @01:13PM (#54920425)

    It's more important to APPEAR that you're doing something, than it is to ACTUALLY do something.

    How exactly do they propose to secure a marketing term? Cause that's all "Internet Of Things" is. It means absolutely nothing. While they're at it, why don't they also try to secure Big Data, The Cloud, and Web 2.0?

  • If the end game of IoT is to be ubiquitous then there is no way that you can rely on manual intervention to keep things up to date and secure. So how will this all be enforced?

  • Any device with internet connectivity needs to have s reasonable support window where the manufacturer provides known security updates. The unfortunate side effect is that support has large costs and will either drive down profit, or drive up price. People will care less (anb buy less) when the magical IoT keyfob/light controller/toaster oven costs $500 instead of $99.

    • The big manufacturers who can afford the expensive 'Regulatary Affairs' staff will be delighted to be able to produce $139 toasters instead of $129 toasters if it make it impossible for any upstarts to get into the market. In fact, I bet they would happily form a Trade Association to sit on the project and keep meddlesome startups out.

  • this bill, as proposed, will not keep up.
  • Let's also add to the bill a minimum support time for internet connected things. This would protect consumers from buying the latest internet connected coffee pot and having it stop working just because they didn't want to run the servers any more after 6 months.

    • Re: (Score:2)

      by mikael ( 484 )

      They would just put you onto an automated answering system and lead you down a maze of different questions, before reading out a disclaimer, the latest news, then putting you on hold. They would claim that was customer support.

  • Without laws that actual protect consumer information, privacy, etc - no law like this will mean anything. First because it doesn't cover all loses, second because if someone has information but wasn't the person that hacked you, then they're not in the "wrong." It must be made illegal to have the information in the first place. Start with something like the EU "right to be forgotten" and go from there.

  • auto drive car buy an new car each 4-5 years as updates stop after about 4 years or you need an high labor cost (at the dealer) computer swap / or upgrade + the markup. Thing dell / hp like 300-400% markup on HDD's and ram before dealer labor changes.

