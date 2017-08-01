US Senators To Introduce Bill To Secure 'Internet of Things' (reuters.com) 32
Dustin Volz, reporting for Reuters: A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects -- known in the tech industry as the "internet of things" -- which experts have long warned poses a threat to global cyber security. The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.
It's good they're trying to do something, but the devil is in the details. For example, define "vulnerability". Anyone who's tried to remediate Nessus findings knows what I mean - those Low findings that just. won't. go. away. And do they mean internal or external vulns? etc, etc. And these things won't be determined in the law, they'll be decided by the bureaucrats implementing it. Pray that they're smart.
$100K year per site + 1K / year per device to HPE to manage it. Labor costs extra
It reminds me of that court case vs Toyota where they were citing (iirc) strcpy as proof that there was a braking issue. Not the usage of strcpy, no... just the presence of it. Not reproducing a bug... just show that strcpy was being used.
The hand-waving loose definitions non-coders get when they talk about code is amazing. While I think some regulation might be good, it would be a pretty jarring shift in how fast-and-loose the majority of the industry has become with code these days if people actually beca
hammers will be billed at 25K each!
Instead of encouraging robust perimeter security and a well thought out security model, let's just require expensive and ineffective security on every single little thing.
You can't legislate perimeter security. IoT devices run on home networks too, and no sane person is going to start arresting people for misconfiguring their wifi routers.
If each device implements basic hardening and gets security updates, we eliminate 99% of the current problems. Since manufacturers will probably ship the same firmware to home users, that unregulated wasteland will get a little better over time.
This bill only applies to equipment that vendors intend to sell to the US government. More sweepi
But you can legislate greater security for wifi routers. You're right that you can't punish people for not doing something they shouldn't need to know how to do. They can even be marketed as 'more secure wifi routers' and I bet people will buy them. Plus cheap IoT devices to plug into them.
Securing at the endpoint drives up the price of said endpoint devices. It creates a regulatory environment with a high barrier to entry for new businesses.
What about redundant systems with rolling updates so you can update an router with out taking the site down.
Not requiring standards for the entire industry, but for vendors to the Federal government which, if they work, will then propagate as de facto requirements for the private sector.
He added that the legislation was intended to remedy an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind.
This guy gets it. But I was hoping for a market solution. The government could start by requiring vendors of US government products to meet certain guidelines. States could require that police and government tech meets a standard. That typically makes civilian companies jump on board and require similar guidelines. Then individuals start to say "Oh, I only buy IP cameras that meet FIPS-12345 standards."
This approach is nice because it is flexible, and allows the market to decide what standards to apply. I fear Senators trying to write tech legislation.
It's more important to APPEAR that you're doing something, than it is to ACTUALLY do something.
How exactly do they propose to secure a marketing term? Cause that's all "Internet Of Things" is. It means absolutely nothing. While they're at it, why don't they also try to secure Big Data, The Cloud, and Web 2.0?
If the end game of IoT is to be ubiquitous then there is no way that you can rely on manual intervention to keep things up to date and secure. So how will this all be enforced?
The big manufacturers who can afford the expensive 'Regulatary Affairs' staff will be delighted to be able to produce $139 toasters instead of $129 toasters if it make it impossible for any upstarts to get into the market. In fact, I bet they would happily form a Trade Association to sit on the project and keep meddlesome startups out.
