US Think Tank Wants To Regulate The Design of IoT Devices For Security Purposes

New submitter mikehusky quotes a report from The Register: Washington D.C. think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices. If the world wants a bonk-detecting Wi-Fi mattress, it must be a malware-free bonk-detecting Wi-Fi mattress. The report adds: "Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood. The pair say the risk that regulation could stifle market-making IoT innovation (like the Wi-Fi cheater-detection mattress) is outweighed by the need to stop feeding Shodan. 'Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy. Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.' State level regulation would be 'disastrous' to markets and consumers alike. The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets."

No mention of the internet architecture of course

[Pinky's+Brain]

This is the danger our resident experts create by going along with the IoT scare ...

The disease is the unpunished insecure practices by ISPs and the complete lack of cooperation in cutting off DDOS's at the source. The IoT mess is a symptom, a symptom laws won't help ... the programmers will still be using C after all (another root cause which must not be named).

Re:Be careful

[Pinky's+Brain]

That will help very little, approval doesn't make the device secure.

The network needs to be robust against insecure devices.

Re:No mention of the internet architecture of cour

[Pinky's+Brain]

Well that's the problem isn't it, how to create economic incentives for security.

We are poor at making developers and users bear the cost of insecurity in a way our Pavlovian reflexes will respond to (hence why we are still massively using C after decades of pointer fuck ups, even when efficiency can't possibly be an excuse for the massive economic damage caused 99% of the time). We are also poor at incentivizing backbones and ISPs at helping prevent/mitigate DDOS's.